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This  report  covers  the  period  July  1,  2000  through  March  1,  2004  and  documents 
work  performed  by  SRI  International  for  the  DARPA  PCES  and  SEC  programs  through 
AFRL-WPAFB  Contract  F33615-00-C-3043. 

The  project  originally  focused  on  compositional  formal  methods  for  aspect-oriented 
programs  and  was  located  in  the  PCES  program.  Soon  after  its  inception,  however,  the 
project  was  moved  to  the  SEC  (Software  Enabled  Control)  program  where  its  focus  shifted 
to  formal  analysis  of  mixed  discrete/continuous  (i.e.,  hybrid)  systems.  We  developed  a 
two-step  approach  to  analysis  of  hybrid  systems:  compute  a  property-preserving  discrete 
approximation  to  the  original  hybrid  system,  and  then  analyze  the  discrete  approximation. 
The  approximation  method  is  called  Hybrid  Abstraction  and  was  developed  by  us  in  the 
DARPA  MoBIES  program.  In  the  present  project,  we  developed  the  theorem-proving  tech¬ 
nology  that  enables  automated  calculation  of  the  approximation,  and  we  built  the  SAL 
(Symbolic  Analysis  Laboratory)  system  for  specification  and  analysis  of  discrete  systems. 

Research  Products 

The  outputs  of  this  research  are  documented  in  a  series  of  technical  reports  and  papers  that 
are  collected  in  Part  II  of  this  report.  Below,  we  provide  an  index  and  abstracts  for  these 
papers.  All  the  papers  were  selected  for  presentation  at  major  scientific  conferences,  and 
we  also  provide  citations  for  these  publications. 

In  addition,  the  methods  developed  in  this  project  were  implemented  in  prototype  tools. 
DARPA  reduced  the  funding  and  scope  of  this  project  during  its  execution,  and  it  was 
terminated  early.  Nonetheless,  we  were  able  to  produce  the  first  prototype  of  the  SAL 
system  (SAL  1.0)  and  to  make  this  available  to  the  research  community.  With  funding 
from  other  sources,  we  have  been  able  to  continue  development  of  SAL  and  this  is  now  a 
robust  and  capable  system  with  many  users.  SAL  is  available  for  download  from  http  : 
//sal.csl.sri.  com;  a  description  of  its  current  capabilities  is  provided  in  [1]  and  its 
successful  application  to  a  large  problem  is  described  in  [2]. 

Little  Engines  of  Proof  by  N.  Shankar.  Published  as  [3]. 

The  key  to  practical  computation  of  the  approximations  used  in  Hybrid  Abstraction 
is  efficient  theorem  proving  over  a  combination  of  arithmetic  theories.  The  approach 
used  in  this  project  is  based  on  constructing  decision  procedures  for  individual  theo¬ 
ries,  and  then  combining  them  to  yield  a  decision  procedure  for  the  combined  theory. 
This  approach,  now  widely  adopted,  is  advocated  in  this  influential  paper  under  the 
name  “little  engines  of  proof.” 

Abstract  The  automated  construction  of  mathematical  proof  is  a  basic  activity  in 
computing.  Since  the  dawn  of  the  field  of  automated  reasoning,  there  have  been 
two  divergent  schools  of  thought.  One  school,  best  represented  by  Alan  Robinson’s 
resolution  method,  is  based  on  simple  uniform  proof  search  procedures  guided  by 
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heuristics.  The  other  school,  pioneered  by  Hao  Wang,  argues  for  problem- specific 
combinations  of  decision  and  semi-decision  procedures.  While  the  former  school 
has  been  dominant  in  the  past,  the  latter  approach  has  greater  promise.  In  recent 
years,  several  high-quality  inference  engines  have  been  developed,  including  propo¬ 
sitional  satisfiability  solvers,  ground  decision  procedures  for  equality  and  arithmetic, 
quantifier  elimination  procedures  for  integers  and  reals,  and  abstraction  methods  for 
finitely  approximating  problems  over  infinite  domains.  We  describe  some  of  these 
“little  engines  of  proof”  and  a  few  of  the  ways  in  which  they  can  be  combined.  We 
focus  in  particular  on  combining  different  decision  procedures  for  use  in  automated 
verification. 

Deconstructing  Shostak  By  Harald  RueB  and  N.  Shankar.  Published  as  [4]. 

An  important  technique  for  combining  “little  engines  of  proof”  was  originally  devel¬ 
oped  at  SRI  in  the  1970s  by  Robert  Shostak.  Although  widely  used,  the  foundations 
of  this  method  have  not  been  rigorously  established  and  prior  to  this  paper,  all  treat¬ 
ments  and  implementations  were  flawed. 

Abstract  Decision  procedures  for  equality  in  a  combination  of  theories  are  at  the 
core  of  a  number  of  verification  systems.  Shostak’s  decision  procedure  for  equality  in 
the  combination  of  solvable  and  canonizable  theories  has  been  around  for  nearly  two 
decades.  Variations  of  this  decision  procedure  have  been  implemented  in  a  number 
of  systems  including  STP,  Ehdm,  PVS,  STeP,  and  SVC.  The  algorithm  is  quite  subtle, 
and  a  correctness  argument  for  it  has  remained  elusive.  Shostak’s  algorithm  and  all 
previously  published  variants  of  it  yield  incomplete  decision  procedures.  We  describe 
a  variant  of  Shostak’s  algorithm  along  with  proofs  of  termination,  soundness,  and 
completeness. 

Verifying  Shostak  by  Jonathan  Ford  and  N,  Shankar.  Published  as  [5]. 

This  paper  confirms  the  correctness  of  the  argument  developed  in  the  previous  paper 
by  formally  verifying  it  using  SRI’s  PVS  system. 

Abstract  Decision  procedures  for  combinations  of  theories  are  at  the  core  of  many 
modern  theorem  pro  vers  such  as  ACL2,  Ehdm,  PVS,  SIMPLIFY,  the  Stanford  Pas¬ 
cal  Verifier,  STeP,  SVC,  and  Z/Eves.  Shostak,  in  1984,  published  a  decision  pro¬ 
cedure  for  the  combination  of  canonizable  and  solvable  theories.  Recently,  RueB 
and  Shankar  showed  Shostak’s  method  to  be  incomplete  and  nonterminating,  and 
presented  a  correct  version  of  Shostak’s  algorithm  along  with  informal  proofs  of  ter¬ 
mination,  soundness,  and  completeness.  We  describe  a  formalization  and  mechanical 
verification  of  these  proofs  using  the  PVS  verification  system.  The  formalization 
itself  posed  significant  challenges  and  the  verification  revealed  some  gaps  in  the  in¬ 
formal  argument. 
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Combining  Shostak  Theories  by  N.  Shankar  and  Harald  RueB.  Published  as  [6] 

Shostak’s  method  works  for  theories  that  are  canonizable  and  solvable.  The  combina¬ 
tion  of  the  canonizers  yields  a  canonizer  for  the  combination,  but  this  is  not  the  case 
for  solvers.  This  paper  presents  a  crucial  extension  to  Shostak’s  method  that  resolves 
this  difficulty. 

Abstract  Ground  decision  procedures  for  combinations  of  theories  are  used  in 
many  systems  for  automated  deduction.  There  are  two  basic  paradigms  for  com¬ 
bining  decision  procedures.  The  Nelson-Oppen  method  combines  decision  proce¬ 
dures  for  disjoint  theories  by  exchanging  equality  information  on  the  shared  vari¬ 
ables.  In  Shostak’s  method,  the  combination  of  the  theory  of  pure  equality  with 
canonizable  and  solvable  theories  is  decided  through  an  extension  of  congruence  clo¬ 
sure  that  yields  a  canonizer  for  the  combined  theory.  Shostak’s  original  presentation, 
and  others  that  followed  it,  contained  serious  errors  that  were  corrected  for  the  ba¬ 
sic  procedure  by  the  present  authors.  Shostak  also  claimed  that  it  was  possible  to 
combine  canonizers  and  solvers  for  disjoint  theories.  This  claim  is  easily  verifiable 
for  canonizers,  but  is  unsubstantiated  for  the  case  of  solvers.  We  show  how  our  ear¬ 
lier  procedure  can  be  extended  to  combine  multiple  disjoint  canonizable,  solvable 
theories  within  the  Shostak  framework. 

On  the  Confluence  of  Linear  Shallow  Term  Rewrite  Systems  by  Guillem  Godoy, 
Ashish  Tiwari,  and  Rakesh  Verma.  Available  as  [7]. 

The  method  for  computing  the  approximation  used  in  Hybrid  Abstraction  uses  in¬ 
sights  from  the  papers  above  and  from  this  one.  The  culmination  of  all  these  tech¬ 
niques  is  the  method  used  in  Hybrids  AL,  which  was  funded  under  the  MoBIES  pro¬ 
gram  and  is  described  in  [8]. 

Abstract  This  paper  shows  that  the  confluence  of  shallow  linear  term  rewrite  sys¬ 
tems  is  decidable.  This  class  of  rewrite  systems  properly  includes  ground  rewrite 
systems  and  shallow,  linear,  and  nonsharing  rewrite  systems  for  which  confluence 
was  shown  to  admit  a  polynomial  time  decision  procedure  previously.  For  example, 
the  commutativity  axiom  falls  under  this  class.  The  decision  procedure  presented  in 
this  paper  is  a  nontrivial  generalization  of  the  polynomial  time  algorithms  for  decid¬ 
ing  confluence  of  ground  and  restricted  nonground  term  rewrite  systems  presented 
previously.  This  algorithm  has  a  polynomial  time  complexity  if  the  maximum  arity 
of  a  function  symbol  in  the  signature  is  considered  a  constant.  This  paper  also  gives 
EXPTIME-hardness  proofs  for  reachability  and  confluence  of  shallow  term  rewrite 
systems.  This  shows  that  the  shallow  linear  assumptions  made  in  this  paper  are  fairly 
tight. 
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The  SAL  Language  Manual  by  Leonardo  de  Moura,  Sam  Owre,  and  N.  Shankar.  Avail¬ 
able  as  [9]. 

The  heart  of  the  SAL  system  is  its  language,  also  called  SAL.  The  SAL  language 
provides  an  attractive  language  for  writing  specifications,  and  it  is  also  suitable  as  a 
target  for  translating  specifications  originally  written  in  other  notations. 


Abstract  SAL  stands  for  Symbolic  Analysis  Laboratory.  It  is  a  framework  for 
combining  different  tools  for  abstraction,  program  analysis,  theorem  proving,  and 
model  checking  toward  the  calculation  of  properties  (symbolic  analysis)  of  transition 
systems.  A  key  part  of  the  SAL  framework  is  a  language  for  describing  transition 
systems.  This  language  serves  as  a  specification  language  and  as  the  target  for  trans¬ 
lators  that  extract  the  transition  system  description  for  popular  programming  lan¬ 
guages  such  as  Esterel,  Java,  and  Statecharts.  The  language  also  serves  as  a  common 
source  for  driving  different  analysis  tools  through  translators  from  the  SAL  language 
to  the  input  format  for  the  tools,  and  from  the  output  of  these  tools  back  to  the  SAL 
language. 

The  SAL  language  was  originally  designed  in  collaboration  with  David  Dill  of  Stan¬ 
ford  University  and  Thomas  Henzinger  of  the  University  of  California  at  Berkeley. 
The  version  presented  here  is  the  one  currently  accepted  by  the  tools  developed  at 
SRI. 

A  Technique  for  Invariant  Generation  by  Ashish  Tiwari,  Harald  RueB,  Hassen  Sa'idi, 
and  N.  Shankar.  Published  as  [10]. 

Although  the  SAL  tools  currently  available  (see  http :  //sal .  csl .  sri  .  com) 
are  all  model  checkers,  the  larger  plan  includes  construction  of  bridges  to  deductive 
methods  such  as  PVS.  An  important  technique  in  deductive  verification  is  the  method 
of  inductive  invariance,  and  a  crucial  element  in  the  automation  of  this  method  is  au¬ 
tomated  construction  and  strengthening  of  auxiliary  invariants.  This  paper  describes 
methods  for  accomplishing  this  task. 

Abstract  Most  of  the  properties  established  during  verification  are  either  invariants 
or  depend  crucially  on  invariants.  The  effectiveness  of  automated  formal  verification 
is  therefore  sensitive  to  the  ease  with  which  invariants,  even  trivial  ones,  can  be  au¬ 
tomatically  deduced.  While  the  strongest  invariant  can  be  defined  as  the  least  fixed 
point  of  the  strongest  post-condition  of  a  transition  system  starting  with  the  set  of 
initial  states,  this  symbolic  computation  rarely  converges.  We  present  a  method  for 
invariant  generation  and  strengthening  that  relies  on  the  simultaneous  construction 
of  least  and  greatest  fixed  points,  restricted  widening  and  narrowing,  and  quantifier 
elimination.  The  effectiveness  of  the  method  is  demonstrated  on  a  number  of  exam¬ 
ples. 
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Abstract.  The  automated  construction  of  mathematical  proof  is  a  basic 
activity  in  computing.  Since  the  dawn  of  the  field  of  automated  reason¬ 
ing,  there  have  been  two  divergent  schools  of  thought.  One  school,  best 
represented  by  Alan  Robinson’s  resolution  method,  is  based  on  simple 
uniform  proof  search  procedures  guided  by  heuristics.  The  other  school, 
pioneered  by  Hao  Wang,  argues  for  problem-specific  combinations  of  de¬ 
cision  and  semi-decision  procedures.  While  the  former  school  has  been 
dominant  in  the  past,  the  latter  approach  has  greater  promise.  In  re¬ 
cent  years,  several  high  quality  inference  engines  have  been  developed, 
including  propositional  satisfiability  solvers,  ground  decision  procedures 
for  equality  and  arithmetic,  quantifier  elimination  procedures  for  integers 
and  reals,  and  abstraction  methods  for  finitely  approximating  problems 
over  infinite  domains.  We  describe  some  of  these  “little  engines  of  proof” 
and  a  few  of  the  ways  in  which  they  can  be  combined.  We  focus  in  par¬ 
ticular  on  combining  different  decision  procedures  for  use  in  automated 
verification. 


Its  great  triumph  was  to  prove  that  the  sum  of  two  even  numbers  is 
even. 


Martin  Davis  [Dav83]  (on  his  Presburger  arithmetic  procedure) 

The  most  interesting  lesson  from  these  results  is  perhaps  that  even  in  a 
fairly  rich  domain ,  the  theorems  actually  proved  are  mostly  ones  which 
call  on  a  very  small  portion  of  the  available  resources  of  the  domain. 


Hao  Wang  (quoted  by  Davis  [Dav83]) 

*  Funded  by  NSF  Grants  CCR-0082560  and  CCR-9712383,  DARPA/AFRL  Contract 
F33615-00-C-3043,  and  NASA  Contract  NAS  1-20334.  John  Rushby,  Sam  Owre, 
Ashish  Tiwari,  and  Tomas  Uribe  commented  on  earlier  drafts  of  this  paper. 
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1  Introduction 


At  a  very  early  point  in  its  development,  the  field  of  automated  reasoning  took 
an  arguably  wrong  turn.  For  nearly  forty  years  now,  the  focus  in  automated 
reasoning  research  has  been  on  big  iron :  general-purpose  theorem  provers  based 
on  uniform  proof  procedures  augmented  with  heuristics.  These  efforts  have  not 
been  entirely  fruitless.  As  success  stories,  one  might  list  an  impressive  assort¬ 
ment  of  open  problems  that  have  succumbed  to  semi-brute- force  methods,  and 
spin-off  applications  such  as  logic  programming.  However,  there  has  been  very 
little  discernible  progress  on  the  problem  of  automated  proof  construction  in  any 
significant  mathematical  domain.  Proofs  in  these  domains  tend  to  be  delicate  ar¬ 
tifacts  whose  construction  requires  a  collection  of  well-crafted  instruments,  little 
engines  of  proof,  working  in  tandem.  In  other  disciplines  such  as  numerical  anal¬ 
ysis,  computer  algebra,  and  combinatorial  algorithms,  it  is  quite  common  to  have 
libraries  of  useful  routines.  Such  software  libraries  have  not  taken  root  in  auto¬ 
mated  deduction  because  the  scientific  and  engineering  challenges  involved  are 
quite  significant.  We  examine  some  of  the  successes  in  building  and  combining 
little  deduction  engines  for  building  proofs  and  refutations  (e.g.,  counterexam¬ 
ples),  and  survey  some  of  the  challenges  that  still  he  ahead. 

The  tension  between  general-purpose  proof  search  and  special-purpose  decision 
procedures  has  been  with  us  from  very  early  on.  Automated  reasoning  had  its 
beginnings  in  the  pioneering  Logic  Theorist  system  of  Newell,  Shaw,  and  Si¬ 
mon  [NSS57].  The  theorems  they  proved  were  shown  by  Hao  Wang  [Wan60b] 
to  fall  within  simply  decidable  fragments  like  propositional  logic  and  the  V*3* 
Bernays-Schonfinkel  fragment  of  first-order  logic  [BGG97].  Many  technical  ideas 
from  the  Logic  Theorist  such  as  subgoaling,  substitution,  replacement,  and  for¬ 
ward  and  backward  chaining,  have  been  central  to  automated  reasoning,  but 
the  dogma  that  human-oriented  heuristics  are  the  key  to  effective  theorem  prov¬ 
ing  has  not  been  vindicated.  Hao  Wang  [Wan60a]  proposed  an  entirely  different 
approach  that  he  called  inferential  analysis  as  a  parallel  to  numerical  analysis. 
Central  to  his  approach  was  the  use  of  domain-specific  decision  and  semi-decision 
procedures,  so  that  proofs  could  be  constructed  by  means  of  reductions  to  some 
combination  of  problems  that  could  each  be  easily  solved.  Due  to  the  prevailing 
bias  in  artificial  intelligence,  Wang  lost  the  debate  at  that  point  in  time,  but, 
as  we  argue  here,  his  ideas  still  make  plenty  of  sense.  As  remarked  by  Martin 
Davis  [Dav83]: 

The  controversy  referred  to  may  be  succinctly  characterized  as  being  be¬ 
tween  the  two  slogans:  “Simulate  people”  and  “Use  mathematical  logic”. 

. . .  Thus  as  early  as  1961  Minsky  [Min63]  remarked 

...  it  seems  clear  that  a  program  to  solve  real  mathematical  prob¬ 
lems  will  have  to  combine  the  mathematical  sophistication  of 
Wang  with  the  heuristic  sophistication  of  Newell,  Shaw,  and  Si¬ 
mon. 
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The  debate  between  human-oriented  and  logic-oriented  approaches  is  beside  the 
point.  The  more  significant  debate  in  automated  reasoning  is  between  two  ap¬ 
proaches  that  in  analogy  with  economics  can  be  labelled  as  macrological  and 
micrological .  The  macrological  approach  takes  a  language  and  logic  such  as  first- 
order  logic  as  given,  and  attempts  to  find  a  uniform  (i.e. ,  problem-independent) 
method  for  constructing  proofs  of  conjectures  stated  in  the  logic.  The  micrologi¬ 
cal  approach  attacks  a  class  of  problems  and  attempts  to  find  the  most  effective 
way  of  validating  or  refuting  conjectures  in  this  problem  class.  In  his  writings, 
Hao  Wang  was  actually  espousing  a  micrological  viewpoint.  He  wrote  [Wan60a] 

In  contrast  with  pure  logic,  the  chief  emphasis  of  inferential  analysis  is 
on  the  efficiency  of  algorithms,  which  is  usually  obtained  by  paying  a 
great  deal  of  attention  to  the  detailed  structure  of  problems  and  their 
solutions,  to  take  advantage  of  possible  systematic  short  cuts. 

Automated  reasoning  got  off  to  a  running  start  in  the  1950s.  Already  in  1954, 
Davis  [Dav57]  had  implemented  a  decision  procedure  for  Presburger  arith¬ 
metic  [Pre29].  Davis  and  Putnam  [DP60],  during  1958-60,  devised  a  decision 
procedure  for  CNF  satisfiability  (SAT)  based  on  inference  rules  for  propagation 
of  unit  clauses,  ground  resolution,  deletion  of  clauses  with  pure  literals,  and 
splitting.  The  ground  resolution  rule  turned  out  to  be  space- inefficient  and  was 
discarded  in  the  work  of  Davis,  Logemann,  and  Loveland  [DLL62].  Variants  of 
the  latter  procedure  are  still  employed  in  modern  SAT  solvers.  Gilmore  [Gil60] 
and  Prawitz  [Pra60]  examined  techniques  for  first-order  validity  based  on  Her- 
brand’s  theorem.  Many  of  the  techniques  from  the  1950s  still  look  positively 
modern. 

Robinson’s  introduction  [Rob65]  of  the  resolution  principle  (during  1963-65) 
based  on  unification  brought  about  a  qualitative  shift  in  automated  theorem 
proving.  From  that  point  on,  the  field  of  automated  reasoning  never  looked 
forward.  Resolution  provides  a  simple  inference  rule  for  refutational  proofs  for 
first-order  statements  in  skolemized,  prenex  form.  It  spawned  a  multitude  of 
strategies,  heuristics,  and  extensions.  Nearly  forty  years  later,  resolution  [BG01] 
remains  extremely  popular  as  a  general-purpose  proof  search  method  primarily 
because  the  basic  method  can  be  implemented  and  extended  with  surprising  ease. 
Resolution-based  methods  have  had  some  success  in  proving  open  problems  in 
certain  domains  where  general-purpose  search  can  be  productive.  The  impact  of 
resolution  on  theorem  proving  in  mathematically  rich  domains  has  not  been  all 
that  encouraging. 

The  popularity  of  uniform  proof  methods  like  resolution  stems  from  the  simple 
dogma  that  since  first-order  logic  is  a  generic  language  for  expressing  statements, 
generic  first-order  proof  search  methods  must  also  be  adequate  for  finding  proofs. 
This  central  dogma  seems  absurd  on  the  face  of  it.  Stating  a  problem  and  solving 
it  are  two  quite  separate  matters.  But  the  appeal  of  the  dogma  is  obvious. 
A  simple,  generic  method  for  proving  theorems  basically  hits  the  jackpot  by 
fulfilling  Leibniz’s  dream  of  a  reasoning  machine.  A  more  sophisticated  version 
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of  the  dogma  is  that  a  uniform  proof  method  can  serve  as  the  basic  structure  for 
introducing  domain-specific  automation.  There  is  little  empirical  evidence  that 
even  this  dogma  has  any  validity. 

On  the  other  hand,  certain  domain- specific  automated  theorem  provers  have 
been  quite  effective.  The  Boyer-Moore  line  of  theorem  provers  [BM79,KMM00] 
has  had  significant  success  in  the  area  of  inductive  proofs  of  recursively  defined 
functions.  Various  geometry  theorem  provers  [CG01]  based  on  both  algebraic 
and  non-algebraic,  machine-oriented  and  human-oriented  methods,  have  been 
able  to  automatically  prove  theorems  that  would  tax  human  ingenuity.  Both  of 
these  classes  of  theorem  provers  owe  their  success  to  domain-specific  automation 
rather  than  general-purpose  theorem  proving. 

Main  Thesis.  Automated  reasoning  has  for  too  long  been  identified  with  uni¬ 
form  proof  search  procedures  in  first-order  logic.  This  approach  shows  very  little 
promise.  The  basic  seduction  of  uniform  theorem  proving  techniques  is  that 
phenomenal  gains  could  be  achieved  with  very  modest  implementation  effort. 
Hao  Wang  [Wan60b,Wan60a,Wan63]  in  his  early  papers  on  automated  reasoning 
sketched  the  vision  of  a  field  of  inferential  analysis  that  would  take  a  deeper  look 
at  the  problem  of  automating  mathematical  reasoning  while  exploiting  domain- 
specific  decision  procedures.  He  wrote  [Wan63] 

That  proof  procedures  for  elementary  logic  can  be  mechanized  is  familiar. 

In  practice,  however,  were  we  slavishly  to  follow  these  procedures  with¬ 
out  further  refinements,  we  should  encounter  a  prohibitively  expansive 
element.  . . .  In  this  way  we  are  led  to  a  closer  study  of  reduction  proce¬ 
dures  and  of  decision  procedures  for  special  domains,  as  well  as  of  proof 
procedures  of  more  complex  sorts. 

Woody  Bledsoe  [Ble77]  made  a  similar  point  in  arguing  for  semantic  theorem 
proving  techniques  as  opposed  to  resolution. 

Decision  procedures  [Rab78],  and  more  generally  inference  procedures,  are  cru¬ 
cial  to  the  approach  advocated  here.  Few  problems  are  stated  in  a  form  that  is 
readily  decidable,  but  proof  search  strategies,  heuristics,  and  human  guidance 
can  be  used  to  decompose  these  problems  into  decidable  subproblems.  Thus, 
even  though  not  many  interesting  problems  are  directly  expressible  in  Pres- 
burger  arithmetic,  a  great  many  of  the  naturally  arising  proof  obligations  and 
subproblems  do  fall  into  this  decidable  class. 

Building  a  library  of  automated  reasoning  routines  along  the  lines  of  numerical 
analysis  and  computer  algebra,  is  not  as  easy  as  it  looks.  A  theorem  prover  has  a 
simple  interface  in  that  it  is  given  a  conjecture  and  it  returns  a  proof  or  a  disproof. 
The  lower- level  procedures  often  lack  clear  interface  specifications  of  this  sort. 
Even  if  they  did,  building  a  theorem  prover  out  of  modular  components  may  not 
be  as  efficient  as  a  more  monolithic  system.  Boyer  and  Moore  [BM86]  indicate 
how  even  a  simple  decision  procedure  can  have  a  complex  interaction  with  the 
other  components,  so  that  it  is  not  merely  a  black  box  that  returns  proved  or 
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disproved.  The  construction  of  modular  inference  procedures  is  a  challenging 
research  issues  in  automated  reasoning. 

Work  on  little  engines  of  proof  has  been  gathering  steam  lately  Many  groups 
are  actively  engaged  in  the  construction  of  little  proof  engines,  while  oth¬ 
ers  are  putting  in  place  the  train  tracks  on  which  these  engines  can  run. 
PVS  [ORSvH95]  itself  can  be  seen  as  an  attempt  to  unify  many  different  in¬ 
ference  procedures:  typechecking,  ground  decision  procedures,  simplification, 
rewriting,  MONA  [EKM98],  model  checking  [CGP99],  abstraction,  and  static 
analysis,  within  a  single  system  with  an  expressive  language  for  writing  mathe¬ 
matics. 


2  Propositional  Logic 

The  very  first  significant  metamathematical  results  were  those  on  the  soundness, 
completeness,  and  decidability  of  propositional  logic  [Pos21].  Since  boolean  logic 
has  applications  in  digital  circuit  design,  a  lot  of  attention  has  been  paid  to 
the  problem  of  propositional  satisfiability.  A  propositional  formula  is  built 
from  propositional  atoms  pi  by  means  of  negation  -i0,  disjunction  V  02,  and 
conjunction  0 i  A  02-  Further  propositional  connectives  can  be  defined  in  terms 
of  basic  ones  like  -i  and  V.  A  propositional  formula  can  be  placed  in  negation 
normal  form ,  where  all  the  negations  are  applied  only  to  propositional  atoms.  A 
literal  l  is  an  atom  p  or  its  negation  ~^p.  A  clause  C  is  a  disjunction  of  literals. 
By  labelling  subformulas  with  atoms  and  using  distributivity,  any  propositional 
formula  can  be  efficiently  transformed  into  one  that  is  in  conjunctive  normal 
form  (CNF)  as  a  conjunction  of  clauses.  A  CNF  formula  can  be  viewed  as  a  bag 
r  of  clauses.  The  Davis-Putnam  method  (DP)  [DP60]  consisted  of  the  following 
rules: 

1.  Unit  propagation:  Z,T  is  satisfiable  if  r[l  i — >  T,  — <Z  i — >  _L]  is  satisfiable. 

2.  Pure  literal:  r  is  satisfiable  if  r  —  A  is  satisfiable,  for  -i Z  ^  [T],  where  [T] 
is  the  set  of  subformulas  of  T,  and  l  €  C  for  each  C  G  A. 

3.  Splitting:  r  is  satisfiable  if  either  Z,  T  or  -i Z,T  is  satisfiable. 

4.  Ground  resolution:  l  V  Ci,  -iZ  V  C2,  r  is  satisfiable  if  C\  V  C2,  T  is  satisfiable. 

The  Davis-Logemann-Loveland  (DLL)  variant  [DLL62]  drops  the  ground  reso¬ 
lution  rule  since  it  turned  out  to  be  space-inefficient.  Several  modern  SAT  solvers 
such  as  SATO  [Zha97],  GRASP  [MSS99],  and  Chaff  [MMZ+01],  are  based  on 
the  DLL  method.  They  are  capable  of  solving  satisfiability  problems  with  hun¬ 
dreds  of  thousands  of  propositional  variables  and  clauses.  With  this  kind  of 
performance,  many  significant  applications  become  feasible  including  invariant¬ 
checking  for  systems  of  bounded  size,  bounded  model  checking,  i.e.,  the  search 
for  counterexamples  of  length  k  for  a  temporal  property,  and  boolean  equiva¬ 
lence  checking  where  two  circuits  are  checked  to  have  the  same  input /output 
behavior. 
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Stalmarck’s  method  [SSOO]  does  not  employ  a  CNF  representation.  Truth  val¬ 
ues  are  propagated  from  formulas  to  subformulas  through  a  method  known  as 
saturation.  There  is  a  splitting  rule  similar  to  that  of  DP,  but  it  can  be  applied 
to  subformulas  and  not  just  propositions.  The  key  component  of  Stalmarck’s 
method  is  the  dilemma  rule  which  considers  the  intersection  of  the  two  subfor¬ 
mula  truth  assignments  derived  from  splitting.  Further  splitting  is  carried  out 
with  respect  to  this  intersection. 

Binary  Decision  Diagrams.  Reduced  Ordered  Binary  Decision  Diagrams  (ROB- 
DDs)  [Bry86]  are  a  canonical  representation  for  boolean  functions,  i.e.,  functions 
from  [Bn^B].  BDDs  are  binary  branching  directed  acyclic  graphs  where  the 
nodes  are  variables  and  the  outgoing  branches  correspond  to  the  assignment  of 
T  and  _L  to  the  variable.  There  is  a  total  ordering  of  variables  that  is  maintained 
along  any  path  in  the  graph.  The  graph  is  kept  in  reduced  form  so  that  if  there 
is  a  node  such  that  both  of  its  branches  lead  to  the  same  subgraph,  then  the 
node  is  eliminated. 

Standard  operations  like  negation,  conjunction,  disjunction,  composition,  and 
boolean  quantification,  have  efficient  implementations  using  BDDs.  The  BDD 
data  structure  has  primarily  been  used  for  boolean  equivalence  checking  and 
symbolic  model  checking.  The  main  advantage  of  BDDs  over  other  representa¬ 
tions  is  that  checking  equivalence  is  easy.  Boolean  quantification  is  also  handled 
more  readily  using  BDDs.  BDDs  can  also  be  used  for  SAT  solving  since  it  is 
in  fact  a  compact  representation  for  all  solutions  of  a  boolean  formula.  But  the 
strength  of  BDDs  is  in  representing  boolean  functions  of  a  low  communication 
complexity,  i.e.,  where  it  is  possible  to  partition  the  variables  so  that  there  are 
few  dependencies  between  variables  across  the  partition.  BDDs  have  been  pop¬ 
ular  for  symbolic  model  checking  [CGP99]  and  boolean  equivalence  checking. 

Quantified  Boolean  Formulas  and  Transition  Systems.  In  a  propositional  logic 
formula,  all  variables  are  implicitly  universally  quantified.  One  obvious  exten¬ 
sion  is  the  introduction  of  Boolean  existential  and  universal  quantification.  The 
resulting  fragment  is  called  quantified  boolean  formulas  (QBF).  This  kind  of 
quantification  can  be  expressed  purely  in  propositional  logic.  For  example,  the 
formula  (3p  :  Q )  is  equivalent  to  (Q\p  i— »  T]  \f  Q[p  _L]).  The  language  of  QBF 
is  of  course  exponentially  more  succinct  than  propositional  logic.  The  decision 
procedure  for  QBF  validity  is  a  PSPACE-complete  problem.  Many  interesting 
problems  that  can  be  cast  as  interactive  games  can  be  mapped  to  QBF. 

Finite- state  transition  systems  can  be  defined  in  QBF.  A  finite  state  type  consists 
of  a  finite  number  of  distinct  variables  over  types  such  as  booleans,  scalars, 
subranges,  and  finite  arrays  over  a  finite  element  type.  A  finite  state  type  can 
be  encoded  in  binary  form.  A  transition  system  over  a  finite  state  type  that  is 
represented  by  n  boolean  variables  then  consists  of  an  initialization  predicate  I 
that  is  an  n-ary  boolean  function,  and  a  transition  relation  N  that  is  a  2n-ary 
boolean  function.  The  nondeterministic  choice  between  two  transition  relations 
Ni  and  N2  is  easily  expressed  as  Ni  V  N 2 .  Internal  state  can  be  hidden  through 
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boolean  quantification.  The  composition  (Ah;  Ah)  of  two  transition  relations  Ah 
and  N2  can  be  captured  as  3y  :  Ni(x,y)  A  Ah(y, xf). 

Fixpoints  and  Model  Checking.  QBF  can  be  further  extended  through  the  ad¬ 
dition  of  fixpoint  operators  that  can  capture  the  transitive  closure  of  a  tran¬ 
sition  relation.  Given  a  transition  relation  Ah  the  reflexive-transitive  closure 
of  N  can  be  written  as  /iQ  :  x!  =  x  V  (3y  :  N(x,y)  A  Q(y,x')).  Similarly, 
the  set  of  states  reachable  from  the  initial  set  of  state  can  be  represented  as 
yQ  :  I(x)  V  (3y  :  Q(y)  AN(y,  x)).  The  boolean  function  represented  by  a  fixpoint 
formula  can  be  computed  by  unwinding  the  fixpoint  until  convergence  is  reached. 
For  this,  the  ROBDD  representation  of  the  boolean  function  is  especially  conve¬ 
nient  since  it  makes  it  easy  to  detect  convergence  through  an  equivalence  test, 
and  to  represent  boolean  quantification  [BCM+92,McM93].  The  boolean  fixpoint 
calculus  can  easily  represent  the  temporal  operators  of  the  branching-time  tem¬ 
poral  logic  CTL  where  one  can  for  example  assert  that  a  property  always  (or 
eventually)  holds  on  all  (or  some)  computation  paths  leading  out  of  a  state. 
The  boolean  fixpoint  calculus  can  also  represent  different  fairness  constraints  on 
paths.  The  emptiness  problem  for  Biichi  automaton  over  infinite  words  can  be 
expressed  using  fairness  constraints.  This  in  turn  captures  the  model  checking 
problem  for  linear-time  temporal  logics  [VW86,Kur93]. 

Weak  monadic  second-order  logic  of  a  single  successor  (WS1S).  WS1S  has  a 
successor  operation  for  constructing  natural  numbers,  first-order  quantification 
over  natural  numbers,  and  second-order  quantification  over  finite  sets  of  natu¬ 
ral  numbers.  WS1S  is  a  natural  formalism  for  many  applications,  particularly 
for  parametric  systems.  The  logic  can  be  used  to  capture  interesting  datatypes 
such  as  regular  expressions,  lists,  queues,  and  arrays.  There  is  a  direct  mapping 
between  the  logic  and  finite  automata.  A  finite  set  X  of  natural  numbers  can 
be  represented  as  a  bit-string  where  a  1  in  the  i’th  position  indicates  that  i  is 
a  member  of  X.  A  formula  with  free  set  variables  Xi, . . .  ,Xn  is  then  a  set  of 
strings  over  Bn.  The  logical  operations  have  automata  theoretic  counterparts 
so  that  negation  is  complementation,  conjunction  is  the  product  of  automata, 
and  existential  quantification  is  projection.  The  MONA  library  [EKM98]  uses 
an  ROBDD  representation  for  the  automaton  corresponding  to  the  formula. 


3  Equality  and  Inequality 

Equality  introduces  some  of  the  most  significant  challenges  in  automated  rea¬ 
soning  [HO80].  Many  subareas  of  theorem  proving  are  devoted  to  equality  in¬ 
cluding  rewriting,  constraint  solving,  and  unification.  In  this  section  we  focus 
on  ground  decision  procedures  for  equality.  Many  theorem  proving  systems  are 
based  around  decision  procedures  for  equality.  The  language  now  includes  terms 
which  are  built  from  variables  x,  and  applications  /(cq, . . . ,  an)  of  an  n-ary  func¬ 
tion  symbol  /  to  n  terms  cq, . . .  ,an.  The  ground  fragment  can  be  seen  as  an 
extension  of  propositional  logic  where  the  propositional  atoms  are  of  the  form 
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a  =  6,  for  terms  a  and  b.  The  literals  are  now  either  equations  a  =  b  or  disequa- 
tions  a  ^  b.  The  variables  in  a  formula  are  taken  to  be  universally  quantified.  The 
validity  of  a  formula  that  is  a  propositional  combination  of  equalities  can  be 
decided  by  first  transforming  -i</>  into  disjunctive  normal  form  D i  V . . .  V  Dn,  and 
checking  that  each  disjunct  Di ,  which  is  a  conjunction  of  literals,  is  refutable. 
The  refutation  of  a  conjunction  Di  of  literals  can  be  carried  out  by  partitioning 
the  terms  in  Di  into  equivalence  classes  of  terms  with  respect  to  the  equalities  in 
Di.  If  for  some  disequation  a  ^  b  in  Di,  a  and  b  appear  in  the  same  equivalence 
class,  then  we  have  a  contradiction  and  Di  has  been  refuted.  The  original  claim 
</>  is  verified  if  each  such  disjunct  Di  has  been  refuted. 

If  the  function  symbols  are  all  uninterpreted,  then  congruence  closure  can  be 
used  to  construct  the  equivalence  classes  corresponding  to  the  conjunction  of 
literals  Di.  Let  the  set  of  subterms  of  Di  be  [Tk]|.  The  initial  partition  Po  is  the 
set  {{c}  |  c  G  [Pi]}.  When  an  equality  of  the  form  a  =  b  from  Di  is  processed, 
it  results  in  the  merging  of  the  equivalence  classes  corresponding  to  a  and  b.  As 
a  result  of  this  merge,  other  equivalence  classes  might  become  mergeable.  For 
example,  one  equivalence  might  contain  /(ai, . . .  ,an)  while  the  other  contains 
/(&i, . . . ,  frn),  and  each  aj  is  in  the  same  equivalence  class  as  the  corresponding  bj. 
The  merging  of  equivalence  classes  is  performed  until  no  further  mergeable  pairs 
of  equivalence  classes  remain,  and  the  partition  Pi  is  constructed.  The  equalities 
in  Di  are  successively  processed  and  the  resulting  partition  is  returned  as  Pm. 
If  for  some  disequality  a  ^  6,  a  and  b  are  in  the  same  equivalence  class  in  Pm, 
then  a  contradiction  is  returned.  Otherwise,  the  conjunction  Di  is  satisfiable. 

Linear  arithmetic.  A  large  fraction  of  the  subgoals  that  arise  in  verification  con¬ 
dition  generation,  typechecking,  array-bounds  checking,  and  constraint  solving 
involve  linear  arithmetic  constraints  [BW01].  Linear  arithmetic  equalities  in  n 
variables  have  the  form  co+ci*£i  +  . .  .+cn*£n  =  0,  where  the  coefficients  q  range 
over  the  rationals,  and  the  variables  Xi  range  over  the  rationals  or  reals.  It  is  easy 
to  isolate  a  single  variable,  say  aq,  as  x\  =  —  co/ci  —  (02/ c\)*X2  — . . .  —  (cn/c\)*xn. 
This  solved  form  for  x\  can  then  be  substituted  into  the  remaining  linear  equa¬ 
tions  thus  eliminating  the  variable  x\.  Gaussian  elimination  is  based  on  the  same 
idea  where  the  set  of  linear  equations  is  represented  by  A*  X  =  P,  and  the  ma¬ 
trix  representation  of  the  linear  equations  is  transformed  into  row  echelon  form 
in  order  to  solve  for  the  variables. 

Linear  inequalities  are  of  the  form  Co  +  c\  *  x\  +  . . .  +  cn  *  xn  #0,  where  7^  is 
either  <,  <,  >,  or  >.  Note  that  linear  inequalities,  unlike  equalities,  are  closed 
under  negation.  Any  linear  equality  can  also  be  easily  transformed  into  a  pair  of 
inequalities.  As  with  linear  equalities,  linear  inequalities  can  also  be  transformed 
into  a  form  where  a  single  variable  is  isolated.  A  pair  of  inequalities,  x  <  a  and 
x  >  b  can  be  resolved  to  obtain  b  <  a  thus  eliminating  x.  This  kind  of  Fourier- 
Motzkin  elimination  [DE73]  can  be  used  as  a  quantifier  elimination  procedure 
to  decide  the  first-order  theory  of  linear  arithmetic  by  repeatedly  reducing  any 
quantified  formula  of  the  form  3x  :  P(x)  where  P{x)  is  a  conjunction  of  inequal¬ 
ities,  into  the  form  P',  where  x  has  been  eliminated.  By  eliminating  quantifiers 
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in  an  inside-out  order  while  transforming  universal  quantification  \/x  :  A  into 
->3x  :  -iA,  we  arrive  at  an  equivalent  variable-free  formula  that  directly  evalu¬ 
ates  to  true  or  false.  Linear  programming  techniques  like  Simplex  [Nel81]  can 
also  be  used  for  solving  linear  arithmetic  inequality  constraints.  Separation  pred¬ 
icates  are  linear  inequalities  of  the  form  x  —  y  <  cor  x  —  y  <  c  for  some  constant 
c,  and  these  can  be  decided  with  graph-theoretic  techniques  [Sho81].  This  simple 
class  of  linear  inequalities  is  useful  in  model  checking  timed  automata  [ACD93] . 

Presburger  arithmetic  [Pre29]  is  the  first-order  theory  of  linear  arithmetic  over 
the  integers.  Solving  constraints  over  the  integers  is  harder  than  over  the  ratio¬ 
nal  and  reals.  Cooper  [Coo72,Opp78]  gives  an  efficient  quantifier  elimination 
algorithm  for  Presburger  arithmetic.  Once  again,  we  need  only  consider  quan¬ 
tifiers  of  the  form  3x  :  P(x)  where  P{x)  is  a  conjunction  of  inequalities.  We 
add  divisibility  assertions  of  the  form  fc|a,  where  k  is  a  positive  integer.  An  in¬ 
equality  of  the  form  Co  +  c\  *  x\  +  . . .  +  cn  *  xn  >  0  can  be  transformed  to 
c1*x1  >  —Co  —  C2  *  xn  —  . . .  —  cn  *  xn,  and  similarly  for  other  inequality  relations. 
Since  we  are  dealing  with  integers,  a  nonstrict  inequality  like  a  <  b  can  be  trans¬ 
formed  to  a  <  b  +  1.  Having  isolated  all  occurrences  of  aq,  we  can  compute  the 
least  common  multiple  aq  of  the  coefficients  corresponding  to  each  occurrence 
of  Xi.  Now  P(aq)  is  of  the  form  P'(a q  *  aq),  and  3x\  :  P(a q)  can  be  replaced  by 
3x\  :  P'(aq)  Aaq|aq.  Here,  P'(x)  is  a  conjunction  of  formulas  of  the  forms:  x  <  a, 
x  >  b,  k\x+d,  and  j  Jir+e.  Let  A  =  {a  \  x  <  a  G  P'(x)},  B  =  {b  \  x  >  b  G  P'(#)}, 
K  =  {k  |  (k\x  +  d)  G  Pf(x),  and  J  =  { j  \  (j  /x  +  e)  G  P'(x)}.  Let  G  be  the  least 
common  multiple  of  KU  J .  If  A  is  nonempty,  then  3x  :  P'(x)  can  be  transformed 
to  VaeA  ^ x  :  a~G  <  x  <  aAP'(x).  The  bounded  existential  quantification  in  the 
latter  formula  can  easily  be  eliminated.  Essentially,  if  m  satisfies  the  constraints 
in  K  U  J,  then  so  does  m  +  r  *  G  for  any  integer  r.  Hence,  if  P'(m )  holds  for 
some  m  and  A  is  nonempty,  then  there  is  an  m  in  the  interval  [a  —  G,  a)  for  some 
a  G  A  such  that  P'(m )  holds.  Similarly,  if  B  is  nonempty,  3x  :  P'(x)  can  also  be 
transformed  to  \/beB  :  b  <  x  <  b-\-G  AP' (x).  If  both  A  and  B  are  empty,  then 
3x  :  P'(x)  is  transformed  to  3x  :  0  <  x  <  G  AP'(x).  For  example,  the  claim  that 
x  is  an  even  integer  can  be  expressed  as  3u  :  2  *  u  =  x  if  we  avoid  the  divisibility 
predicate.  The  quantifier  elimination  transformation  above  would  convert  this 
to  id  >  x  —  1  A  u'  <  x  +  1  A  (2 1 u')  which  eventually  yields  (x  >  x  —  1  A  x  < 
x  +  1  A2\x)  V  (#  +  1  >  x  —  lAxTl  <  x  +  lA  (2|x  +  1)).  The  latter  formula  easily 
simplifies  to  (2\x).  The  claim  that  the  sum  of  two  even  numbers  is  even  then  has 
the  form  (Vx  :  \/y  :  2\x  A  2\y  D  2\(x  +  y)).  Converting  universal  quantification  to 
existential  quantification  yields  ->3x  :  3y  :  2\x  A2\y  A  2  )((x  +  y).  Quantifier  elim¬ 
ination  yields  m3x  :  0  <  x  <  2  A3y  :  0  <  y  <  2  A  (2\x)  A  (2| y)  A  (2  jfx  +  y),  which 
is  clearly  valid.  The  decidability  of  Presburger  arithmetic  can  also  be  reduced  to 
that  of  WS1S,  and  even  though  the  latter  theory  has  nonelementary  complexity, 
this  reduction  using  MONA  works  quite  efficiently  in  practice  [SKR98]. 

By  the  unsolvability  of  Hilbert’s  tenth  problem,  even  the  quantifier- free  fragment 
of  nonlinear  arithmetic  over  the  integers  or  rationals  is  undecidable.  However, 
the  first-order  theory  of  nonlinear  arithmetic  over  the  reals  and  the  complex 
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numbers  is  decidable.  Tarski  [Tar48]  gave  a  decision  procedure  for  this  theory. 
Collins  [Col75]  gave  an  improved  quantifier  elimination  procedure  that  is  the 
basis  for  a  popular  package  called  QEPCAD  [CH91].  These  procedures  have 
been  successfully  used  in  proving  theorems  in  algebraic  geometry.  Buchberger’s 
Grobner  basis  method  for  testing  membership  in  polynomial  ideals  has  also  been 
successful  in  computer  algebra  and  geometry  theorem  proving  [CG01,BW01]. 

Constraint  solving  and  quantifier  elimination  methods  in  linear  and  nonlinear 
arithmetic  over  integers,  reals,  and  rationals,  are  central  to  a  large  number  of 
applications  of  theorem  proving  that  involve  numeric  constraints. 


4  The  Combination  Problem 

The  application  of  decision  procedures  for  individual  theories  is  constrained  by 
the  fact  that  few  natural  problems  fall  exactly  within  a  single  theory.  Many 
of  the  proof  obligations  that  arise  out  of  extended  typechecking  or  verifica¬ 
tion  condition  generation  involve  arithmetic  equalities  and  inequalities,  tuples, 
arrays,  datatypes,  and  uninterpreted  function  symbols.  There  are  two  basic 
techniques  for  constructing  decision  procedures  for  checking  the  satisfiability  of 
conjunctions  of  literals  in  combinations  of  disjoint  theories:  the  Nelson-Oppen 
method  [N079,TH96]  and  the  Shostak  method  [Sho84]. 

Nelson  and  Oppen’s  Method.  The  Nelson-Oppen  method  combines  decision  pro¬ 
cedures  for  disjoint  theories  by  using  variable  abstraction  to  purify  a  formula 
containing  operations  from  a  union  of  theories,  so  that  the  formula  can  then  be 
partitioned  into  subgoals  that  can  be  handled  by  the  individual  decision  proce¬ 
dures.  Let  B  represent  the  formula  whose  satisfiability  is  being  checked  in  the 
union  of  disjoint  theories  6\  and  62-  First  variable  abstraction  is  used  to  convert 
B  into  B'  A  V,  where  V  contains  equalities  of  the  form  x  =  £,  where  x  is  a 
fresh  variable  and  t  contains  function  symbols  exclusively  from  6\  or  from  62 , 
and  B'  contains  x  renaming  t.  In  particular,  if  V[B']  is  the  result  of  replacing 
each  occurrence  of  x  in  B'  by  the  corresponding  t  for  each  x  =  t  in  F,  then  B 
must  the  result  of  repeatedly  applying  V  to  B'  and  eliminating  all  the  newly 
introduced  variables.  Next,  V  A  B'  can  be  partitioned  as  B\  A  B2,  where  each 
Bi  only  contains  function  symbols  from  the  theory  Oi.  Let  X  be  the  free  vari¬ 
ables  that  are  shared  between  B\  and  B2.  Guess  a  partition  X1, ... ,  Xm  on  the 
variables  in  X.  Let  E  be  an  arrangement  corresponding  to  this  partition  so  that 
E  contains  x  =  y  for  each  pair  of  distinct  variables  x,  y  in  some  Ay,  and  u  7^  v 
for  each  pair  of  variables  u,  v,  such  that  u  E  Xj,v  E  for  j  7^  k.  Check  if 
E  A  B\  is  satisfiable  in  61  and  E  A  B2  is  satisfiable  in  62-  If  that  is  the  case,  then 
B  is  satisfiable  in  0 1  U  62,  provided  #1  and  O2  are  stably  infinite.  A  theory  0  is 
stably  infinite  if  whenever  a  formula  is  0-satisfiable  (satisfiable  in  a  #-model),  it 
is  ^-satisfiable  in  an  infinite  model. 

Shostak’s  Method.  The  Nelson-Oppen  combination  is  a  way  of  combining  black 
box  decision  procedures.  Shostak’s  method  is  an  optimization  of  the  Nelson- 
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Oppen  combination  for  a  restricted  class  of  equational  theories.  A  theory  0  is  said 
to  be  canonizable  if  there  is  a  canonizer  a  such  that  the  equality  a  =  b  is  valid  in  6 
iff  a  (a)  =  cr(b).  A  theory  0  is  said  to  be  solvable  if  there  is  an  operation  solve  such 
that  solve(a  =  b )  returns  a  set  S  of  equalities  {x%  =  t\, . . . ,  xn  =  tn}  equivalent 
in  some  sense  to  a  =  b,  where  each  Xi  occurs  in  a  =  b  but  not  in  tj  for  1  <i,j  <  n. 
A  Shostak  theory  is  one  that  is  canonizable  and  solvable.  Shostak’s  combination 
method  can  be  used  to  combine  one  or  more  Shostak  theories  with  the  theory  of 
equality  over  uninterpreted  terms.  The  method  essentially  maintains  a  set  S  of 
solutions  So? . . . ,  where  each  set  Si  contains  equalities  of  the  form  x  =  t  for 
some  term  t  in  Oi.  The  theory  60  is  used  for  the  uninterpreted  function  symbols. 
Two  variables  x  and  y  are  said  to  be  merged  in  Si  if  x  =  t  and  y  =  t  are  both  in 
Si.  It  is  possible  to  define  a  global  canonical  form  5  [a]  for  a  term  a  with  respect 
to  the  solution  state  S  using  the  individual  canonizers  cq. 

Shostak’s  original  algorithm  [Sho84]  and  its  proof  were  both  incorrect.  The  al¬ 
gorithm,  as  corrected  by  the  author  and  Harald  Ruess  [RS01,SR02],  checks  the 
validity  of  a  sequent  Them  d.  It  does  this  by  processing  each  equality  a  =  b 
into  its  solved  form.  If  S  is  the  current  solution  state,  then  an  unprocessed 
equality  a  =  b  in  T  is  processed  by  first  transforming  it  to  a'  =  b' ,  where 
a'  =  S [a]  and  b'  =  S  [6].  The  equality  a'  =  b'  is  variable  abstracted  and  the 
variable  abstraction  equalities  x  =  t  are  added  to  the  solution  Si,  where  t  is  a 
term  in  the  theory  6i.  The  algorithm  then  repeatedly  reconciles  the  solutions 
Si  so  that  whenever  two  variables  x  and  y  are  merged  in  Si  but  not  in  Sj,  for 
i  ^  j,  then  they  are  merged  in  Sj  by  solving  tx  =  ty  in  Oj,  for  x  =  tx  and 
y  —  ty  in  Sj,  and  composing  the  solution  with  Sj  to  obtain  a  new  solution  set 
Sj.  When  all  the  input  equalities  from  T  have  been  processed  and  we  have  the 
resulting  solution  state  S,  we  check  if  S{cJ  =  S'Jd].  A  conjunction  of  literals 
A™i  cti  =  bi  A  Aj=i  cj  ~h  dj  is  satisfiable  iff  S  A  _L  and  S{cj}  ^  5[dj],  for  each 
j,  1  <  j  <  n,  where  S  =  process({ai  =  bi, ... ,  arn  =  bm}). 

Ground  Satisfiability.  The  Nelson-Oppen  and  Shostak  decision  procedures 
check  the  satisfiability  of  conjunctions  of  literals  drawn  from  a  combination  of 
theories.  These  procedures  can  be  extended  to  handle  propositional  combina¬ 
tions  of  atomic  formulas  by  transforming  these  formulas  to  disjunctive  normal 
form.  This  method  can  be  inefficient  when  the  propositional  case  analysis  in¬ 
volved  is  heavy.  It  is  usually  more  efficient  to  combine  a  SAT  solver  with  a 
ground  decision  procedure  [BDS02,dMRS02].  There  are  various  ways  in  which 
such  a  combination  can  be  executed.  Let  <p  be  the  formula  whose  satisfiability 
is  being  checked.  Let  L  be  an  injective  map  from  fresh  propositional  variables 
to  the  atomic  subformulas  of  such  that  L-1[</>]  is  a  propositional  formula.  We 
can  use  a  SAT  solver  to  check  that  T-1[</>]  is  satisfiable,  but  the  resulting  truth 
assignment,  say  l\  A. . .  Aln,  might  be  spurious,  that  is  L[l\  A . . .  A/n]  might  not  be 
ground-satisfiable.  If  that  is  the  case,  we  can  repeat  the  search  with  the  added 
lemma  (— <Zi  V  ...  V  -i ln)  and  invoke  the  SAT  solver  on  (— <Zi  V  ...  V  -i ln)  A  L-1  [(/>]. 
This  ensures  that  the  next  satisfying  assignment  returned  is  different  from  the 
previous  assignment  that  was  found  to  be  ground-unsatisfiable.  The  lemma  that 
is  added  can  be  minimized  to  find  the  minimal  unsatisfiable  set  of  literals  l{. 
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This  means  that  the  lemma  that  is  added  is  smaller,  and  the  pruning  of  spuri¬ 
ous  assignments  is  more  effective.  The  ground  decision  procedure  can  be  also  be 
used  to  precompute  a  set  A  of  lemmas  (clauses)  of  the  form  A  V  . . .  V  Zn,  where 
-iL[Zi]  A  . . .  -i L[ln\  is  unsatisfiable  according  to  the  ground  decision  procedures. 
The  SAT  solver  can  then  be  reinvoked  with  A  A  L-1[0]. 

A  tighter  integration  of  SAT  solvers  and  ground  decision  procedures  would  allow 
the  decision  procedures  to  check  the  consistency  of  the  case  analysis  during 
an  application  of  splitting  in  the  SAT  solver  and  avoid  cases  that  are  ground- 
unsatisfiable.  Through  a  tighter  integration,  it  would  also  be  possible  to  resume 
the  SAT  solver  with  the  added  conflict  information  without  starting  the  SAT 
solving  process  from  scratch.  We  address  the  challenge  of  integrating  inference 
procedures  below. 

Applications.  Ground  decision  procedures,  ground  satisfiability,  and  quantifier 
elimination  have  many  applications. 

Symbolic  Execution:  Given  a  transition  system,  symbolic  execution  is  the 
process  of  computing  preconditions  or  postconditions  of  the  transition  sys¬ 
tem  with  respect  to  an  assertion.  For  example,  the  strongest  postcondi¬ 
tion  of  an  assertion  p  with  respect  to  a  transition  N  is  the  assertion 
A s  :  3so  :  p(so)  A  N(so,s).  For  certain  choices  of  p  and  TV,  this  assertion 
can  be  computed  by  means  of  a  quantifier  elimination.  This  is  useful  in 
analyzing  timed  and  hybrid  systems  [ACH+95]. 

Infinite- State  Bounded  Model  Checking:  Bounded  model  checking  checks 
for  the  existence  of  counterexamples  of  length  upto  a  bound  k  for  a  given 
temporal  property.  With  respect  to  certain  temporal  properties,  it  is  possible 
to  reduce  the  bounded  model  checking  problem  for  such  systems  to  a  ground 
satisfiability  problem  [dMRS02] . 

Abstraction  and  Model  Checking:  The  early  work  on  abstraction 
in  the  context  of  model  checking  was  on  reducing  finite-state  sys¬ 
tems  to  smaller  finite-state  systems,  i.e.,  systems  with  fewer  possible 
states  [Kur93,CGL92,LGS+95].  Graf  and  Sai'di  [GS97]  were  the  first  to 
consider  the  use  of  a  theorem  prover  for  reducing  (possibly)  infinite-state 
systems  to  finite-state  (hence,  mo  del- checkable)  form.  Their  technique  of 
predicate  abstraction  constructs  an  abstract  counterpart  of  a  concrete  tran¬ 
sition  system  where  the  truth  values  of  certain  predicates  over  the  con¬ 
crete  state  space  are  simulated  by  boolean  variables.  Data  abstraction 
replaces  a  variable  over  an  infinite  state  space  by  one  over  a  finite  do¬ 
main.  Predicate  and  data  abstraction  based  on  theorem  proving  are  widely 
used  [BLO98b,CU98,DDP99,SS99,BBLS00,CDH+00,TK02,HJMS02,FQ02] . 
The  finite-state  abstraction  can  exhibit  spurious  counterexamples  that  are 
not  reproducible  on  the  concrete  system.  Ground  decision  procedures  are 
also  useful  here  for  detecting  spurious  counterexamples  and  suggesting  re¬ 
finements  to  the  abstraction  predicates  [BLO98a,SS99,DD01]. 

Software  Engineering:  Ground  decision  procedures  are  central  to  a  number 
of  analysis  tools  for  better  engineered  software  including  array-bounds  check- 
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ing,  extended  static  checking  [DLNS98],  typechecking  [S099],  and  static 
analysis  [BMMR01,Pug92]. 


5  Challenges 

We  have  enumerated  some  of  the  progress  in  developing,  integrating,  and  deploy¬ 
ing  various  inference  procedures.  A  great  many  challenges  remain.  We  discuss  a 
few  of  these  below. 

The  Complexity  Challenge.  Many  decision  procedures  are  of  exponential,  super¬ 
exponential,  or  non-elementary  complexity.  However,  this  complexity  often  does 
not  manifest  itself  on  practical  examples.  Modern  SAT  solvers  can  solve  very 
large  practical  problems,  but  they  can  also  run  aground  on  small  instances  of 
simple  challenges  like  the  propositional  pigeonhole  principle.  MONA  deals  with 
a  logic  that  is  known  to  have  a  non-elementary  lower  bound,  yet  it  performs 
quite  well  in  practice.  The  challenge  here  is  to  understand  the  ways  in  which  one 
can  overcome  complexity  bounds  on  the  problems  that  arise  in  practice  through 
heuristic  or  algorithmic  means. 

The  Theory  Challenge.  Inference  procedures  are  hard  to  build,  extend,  and  main¬ 
tain.  The  past  experience  has  been  that  good  theory  leads  to  simpler  decision 
procedures  with  greater  efficiency.  A  well-developed  theory  can  also  help  devise 
uniform  design  patterns  for  entire  classes  of  decision  procedures.  Such  design 
patterns  can  contribute  to  both  the  efficiency  and  modularity  of  these  proce¬ 
dures.  Methods  derived  by  specializing  general-purpose  methods  like  resolution 
and  rewriting  can  also  simplify  the  construction  of  decision  procedures. 

The  Modularity  Challenge.  As  we  have  already  noted,  inference  procedures  need 
rich  programmer  interfaces  (APIs)  [BM86,FORS01].  Boyer  and  Moore  [BM86] 
write: 

. . .  the  black  box  nature  of  the  decision  procedure  is  frequently  destroyed 
by  the  need  to  integrate  it.  The  integration  forces  into  the  theorem  prover 
much  knowledge  of  the  inner  workings  of  the  procedure  and  forces  into 
the  procedure  many  features  that  are  unnecessary  when  the  problem  is 
considered  in  isolation. 

For  example,  a  ground  decision  procedure  can  be  used  in  an  online  manner 
so  that  atomic  formulas  are  added  to  a  context  incrementally,  and  claims  are 
tested  against  the  context.  The  API  should  include  operations  for  asserting  and 
retracting  information,  testing  claims,  and  for  creating,  deleting,  and  browsing 
contexts.  The  decision  procedures  might  need  to  exchange  information  with  other 
inference  procedures  such  as  a  rewriter,  typechecker,  or  an  external  constraint 
solver.  We  already  saw  how  the  desired  interaction  between  ground  decision 
procedures  and  SAT  solvers  was  such  that  neither  of  these  could  be  treated  as 
a  black  box  procedure. 
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The  modularity  challenge  is  a  significant  one.  Butler  Lampson  has  ar¬ 
gued  that  software  components  have  always  failed  at  low  levels  of 
granularity  (see  http: //research. microsoft . com/users/blampson/Slides/ 
ReusableComponentsAbstract.htm).  He  says  that  successful  software  compo¬ 
nents  are  those  at  the  level  of  a  database,  a  compiler,  or  a  theorem  prover, 
but  not  decision  procedures,  constraint  solvers,  or  unification  procedures.  For 
interoperation  between  inference  components,  we  also  need  compatible  logics, 
languages,  and  term  and  proof  representations. 

The  Integration  Challenge.  The  availability  of  good  inference  components  is  a 
prerequisite  for  integration,  but  we  also  need  to  find  effective  ways  of  combining 
these  components  in  complementary  ways.  The  combination  of  decision  proce¬ 
dures  with  model  checking  in  predicate  and  data  abstraction  is  a  case  where 
such  a  complementary  integration  is  remarkably  effective.  Other  such  examples 
include  the  combination  of  unification/matching  procedures  and  constraint  solv¬ 
ing,  and  typechecking  and  ground  decision  procedures. 

The  Verification  Challenge.  How  do  we  know  that  our  inference  procedures 
are  sound?  This  question  is  often  asked  by  those  who  wish  to  apply  inference 
procedures  in  contexts  where  a  high  level  of  manifest  assurance  is  required.  This 
question  has  been  addressed  in  a  number  of  ways.  The  LCF  approach  [GMW79] 
requires  inference  procedures  to  be  constructed  as  tactics  that  generate  a  fully 
expanded  proof  in  terms  of  low  level  inferences  when  applied.  Proof  objects 
have  also  been  widely  used  as  a  way  of  validating  inference  procedures  and 
securing  mobile  code  [Nec97].  Reflection  [Wey80,BM81]  is  a  way  of  reasoning 
about  the  metatheory  of  a  theory  within  the  theory  itself.  The  difficult  tradeoff 
with  reflection  is  that  the  theory  has  to  be  simple  in  order  to  be  reasoned  about, 
but  rich  enough  to  reason  with.  The  verification  of  decision  procedures  is  actually 
well  within  the  realm  of  feasible,  and  recently,  there  have  been  several  successful 
attempts  in  this  direction  [The98,FS02]. 


6  Conclusions 

We  have  argued  for  a  reappraisal  of  Hao  Wang’s  programme  [Wan60b,Wan60a] 
of  inferential  analysis  as  a  paradigm  for  automated  reasoning.  The  key  element 
of  this  paradigm  is  the  use  of  problem-driven  combinations  of  sophisticated  and 
efficient  low-level  decision  procedures.  Such  an  approach  runs  counter  to  the 
traditional  thinking  in  automated  reasoning  which  is  centered  around  uniform 
proof  search  procedures.  Similar  ideas  are  also  central  to  the  automated  reason¬ 
ing  schools  of  Bledsoe  [Ble77]  and  Boyer  and  Moore  [BM79,BM86]. 

The  active  use  of  decision  procedures  in  automated  reasoning  began  with  the 
west-coast  theorem  proving  approach  pioneered  by  Boyer  and  Moore  [BM79], 
Shostak  [SSMS82],  and  Nelson  and  Oppen  [LGvH+79,N079].  The  PVS  system 
is  in  this  tradition  [ORS92,Sha01],  as  are  STeP  [MT96],  SIMPLIFY  [DLNS98], 
and  SVC  [BDSOO]. 
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In  recent  years  there  has  been  a  flurry  of  interest  in  the  development  of  verifica¬ 
tion  tools  that  rely  quite  heavily  on  sophisticated  decision  procedures.  The  qual¬ 
ity  and  efficiency  of  many  of  these  decision  procedures  is  impressive.  The  underly¬ 
ing  theory  is  also  advancing  rapidly  [Bj099,TiwOO].  Such  theoretical  advances  will 
make  it  easier  to  construct  correct  decision  procedures  and  integrate  them  more 
easily  with  other  inference  mechanisms.  Contrary  to  the  impression  that  decision 
procedures  are  black  boxes,  they  need  rich  interfaces  [BM86,FORS01,GNTV02] 
in  order  to  be  deployed  most  efficiently.  The  theory,  construction,  integration, 
verification,  and  deployment  of  inference  procedures  is  likely  to  be  a  fertile  source 
of  challenges  for  automated  reasoning  in  mathematically  rich  domains. 
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Abstract 

Decision  procedures  for  equality  in  a  combination  of 
theories  are  at  the  core  of  a  number  of  verification  sys¬ 
tems.  Shostak’s  decision  procedure  for  equality  in  the 
combination  of  solvable  and  canonizable  theories  has 
been  around  for  nearly  two  decades.  Variations  of  this 
decision  procedure  have  been  implemented  in  a  num¬ 
ber  of  systems  including  STP ,  Ehdm,  PVS ,  STeP ,  and 
SVC.  The  algorithm  is  quite  subtle  and  a  correctness 
argument  for  it  has  remained  elusive.  Shostak’s  algo¬ 
rithm  and  all  previously  published  variants  of  it  yield 
incomplete  decision  procedures.  We  describe  a  variant 
of  Shostak’s  algorithm  along  with  proofs  of  termina¬ 
tion ,  soundness ,  and  completeness. 


1  Introduction 

In  1984,  Shostak  [Sho84]  published  a  decision  pro¬ 
cedure  for  the  quantifier-free  theory  of  equality  over 
uninterpreted  functions  combined  with  other  theories 
that  are  canonizable  and  solvable.  Such  algorithms 
decide  statements  of  the  form  T  b  a  =  b,  where  T 
is  a  collection  of  equalities,  and  T,  a,  and  b  contain  a 
mixture  of  interpreted  and  uninterpreted  function  sym¬ 
bols.  This  class  of  statements  includes  a  large  fraction 
of  the  proof  obligations  that  arise  in  verification  includ¬ 
ing  those  involving  extended  typechecking,  verification 
conditions  generated  from  Hoare  triples,  and  inductive 
theorem  proving.  Shostak’s  procedure  is  at  the  core  of 
several  verification  systems  including  STP  [SSMS82], 
Ehdm  [EHD93],  PVS  [ORS92],  STeP  [MT96,  Bjp99], 
and  SVC  [BDL96].  The  soundness  of  Shostak’s  algo¬ 
rithm  is  reasonably  straightforward,  but  its  complete- 

*This  work  was  supported  by  SRI  International,  and  by  NSF 
Grant  CCR-0082560,  DARPA/AFRL  Contract  F33615-00-C- 
3043,  and  NASA  Contract  NAS1-0079. 


ness  has  steadfastly  resisted  proof.  The  proof  given 
by  Shostak  [Sho84]  is  seriously  flawed.  Despite  its  sig¬ 
nificance  and  popularity,  Shostak’s  original  algorithm 
and  its  subsequent  variations  [CLS96,  BDL96,  Bjp99] 
are  all  incomplete  and  potentially  nonterminating.  We 
explain  the  ideas  underlying  Shostak’s  decision  proce¬ 
dure  by  presenting  a  correct  version  of  the  algorithm 
along  with  rigorous  proofs  for  its  correctness. 

If  the  terms  in  a  conjecture  of  the  form  T  b 
a  =  b  are  constructed  solely  from  variables  and  un¬ 
interpreted  function  symbols,  then  congruence  clo¬ 
sure  [NO80,  Sho78,  DST80,  CLS96,  Kap97,  BRRT99] 
can  be  used  to  partition  the  subterms  into  equivalence 
classes  respecting  T  and  congruence.  For  example, 
when  congruence  closure  is  applied  to 

f(x)  =  f{x)  I-  f(x)  =  f(x), 

the  equivalence  classes  generated  by 
the  antecedent  equality  are  {x},  {/(x), /3(x), /5(x)}, 
and  {/2(x),  /4(x)}.  This  partition  clearly  validates  the 
conclusion  /5(x)  =  /(x). 

In  practice,  a  conjecture  T  b  a  =  b  usually  con¬ 
tains  a  mixture  of  uninterpreted  and  interpreted  func¬ 
tion  symbols.  Semantically,  uninterpreted  functions 
are  unconstrained,  whereas  interpreted  function  are 
constrained  by  a  theory ,  i.e.,  a  closure  condition  with 
respect  to  consequence  on  a  set  of  equalities.  An  ex¬ 
ample  of  such  an  assertion  is 

f(x- 1)  — 1  =  X  +  I,  f(y)  + 1  =  y- 1,  y  +  l=x\-  false, 

where  +  ,  — ,  and  the  numerals  are  from  the  theory  of 
linear  arithmetic,  false  is  an  abbreviation  for  0  =  1, 
and  /  is  an  uninterpreted  function  symbol.  The  con¬ 
tradiction  here  cannot  be  derived  solely  by  congruence 
closure  or  linear  arithmetic.  Linear  arithmetic  is  used 
to  show  that  x  —  1  =  y  so  that  f(x  —  1)  =  f(y)  follows 
by  congruence.  Linear  arithmetic  can  then  be  used  to 
show  that  x  +  2  =  y  —  2  which  contradicts  y  +  1  —  x. 
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Nelson  and  Oppen  [N079]  showed  how  decision  pro¬ 
cedures  for  disjoint  equational  theories  could  be  com¬ 
bined.  Since  linear  arithmetic  and  uninterpreted  equal¬ 
ity  are  disjoint,  this  method  can  be  applied  to  the 
above  example.  First,  variable  abstraction  is  used 
to  obtain  a  theory-wise  partition  of  the  term  uni¬ 
verse ,  i.e.,  the  subterms  of  T,  a,  and  b ,  in  a  con¬ 
jecture  T  b  a  =  b.  The  uninterpreted  equality  the¬ 
ory  Q  then  consists  of  the  terms  {f(u),  f(y),w ,  z}  and 
the  equalities  {w  =  f(u),z  =  /(?/)},  and  the  linear 
arithmetic  theory  L  consists  of  the  terms  {u,x,y,x  — 
1  ,w  —  1,  x  +  1,  2  +  1,  y  —  l,y  +  1}  and  the  equalities 
{u  =  x  —  l,w  —  1  =  #  +  1,2  +  1  =  2/  —  1, 2/  +  1  =  %}• 
The  key  observation  is  that  once  the  terms  and  equal¬ 
ities  have  been  partitioned  using  variable  abstraction, 
the  two  theories  L  and  Q  need  exchange  only  equalities 
between  variables.  Thus,  linear  arithmetic  can  be  used 
to  derive  the  equality  u  =  y,  from  which  congruence 
closure  derives  w  =  z,  and  the  contradiction  then  fol¬ 
lows  from  linear  arithmetic.  Since  the  term  universe 
is  fixed  in  advance,  there  are  only  a  bounded  number 
of  equalities  between  variables  so  that  the  propagation 
of  information  between  the  decision  procedures  must 
ultimately  converge. 

The  Nelson-Oppen  combination  procedure  has  some 
disadvantages.  The  individual  decision  procedures 
must  carry  out  their  own  equality  propagation  and  the 
communication  of  equalities  between  decision  proce¬ 
dures  can  be  expensive.  The  number  of  equalities  is 
quadratic  in  the  size  of  the  term  universe,  and  each 
closure  operation  can  itself  be  linear  in  the  size  of  the 
term  universe. 

Shostak’s  algorithm  tries  to  gain  efficiency  by  main¬ 
taining  and  propagating  equalities  within  a  single  con¬ 
gruence  closure  data  structure.  Equalities  involving 
interpreted  symbols  contain  more  information  than 
uninterpreted  equalities.  For  example,  the  equality 
y  +  1  =  x  cannot  be  processed  by  merely  placing  y  +  1 
and  x  in  the  same  equivalence  class.  This  equality 
also  implies  that  y  —  x  —  1,  y  —  x  =  —1,  x  —  y  =  1, 
y  +  3  =  x  +  2,  and  so  on.  In  order  to  avoid  processing 
all  these  variations  on  the  given  equality,  Shostak  re¬ 
stricts  his  attention  to  solvable  theories  where  an  equal¬ 
ity  of  the  form  y  +  1  =  x  can  be  solved  for  x  to  yield 
the  solution  x  =  y  +  1.  If  the  theories  considered  are 
also  canonizable ,  then  there  is  a  canonizer  a  such  that 
whenever  an  equality  a  =  b  is  valid,  then  a(a)  =  cr(fr), 
where  =  represents  syntactic  equality.  A  canonizer  for 
linear  arithmetic  can  be  defined  to  place  terms  into  an 
ordered  sum-of-monomials  form.  Once  a  solved  form 
such  as  x  =  y  +  1  has  been  obtained,  all  the  other  con¬ 
sequences  a  =  b  of  this  equality  can  be  obtained  by 
cr(a')  =  a(b ')  where  a1  and  bf  are  the  results  of  sub¬ 


stituting  the  solution  for  x  into  a  and  6,  respectively. 
For  example,  substituting  the  solution  into  y  —  x  —  1 
yields  y  —  y  +  1  —  1,  and  the  subsequent  canonization 
step  yields  y  =  y. 

The  notion  of  a  solvable  and  canonizable  theory  is 
extended  to  equalities  involving  a  mix  of  interpreted 
and  uninterpreted  symbols  by  treating  uninterpreted 
terms  as  variables.  For  the  conjecture, 

f(x- 1)- 1  =  ar  +  l,  f(y)  + 1  =  y~  1,  y  +  l  =  x  h  false, 

Shostak’s  algorithm  would  solve  the  equality  f(x  —  1)  — 

1  =  x  +  1  as  f(x  —  1)  =  x  +  2,  the  equality  f{y)  +  1  = 
y  —  1  as  f{y)  =  y  —  2,  and  y  +  l  =  x  as  x  =  y  + 
1.  Now,  f  {x  —  1)  and  f(y)  are  congruent  because  the 
canonical  form  for  x  —  1  obtained  after  substituting 
the  solution  x  =  y  +  1  is  y.  By  congruence  closure, 
the  equivalence  classes  of  f(x  —  1)  and  f{y)  have  to 
be  merged.  In  Shostak’s  original  algorithm  the  current 
representatives  of  these  equivalence  classes,  namely  x  + 

2  and  y  —  2  are  merged.  The  resulting  equality  x  + 
2  =  y  —  2  is  first  solved  to  yield  x  —  y  —  4.  This  is 
incorrect  because  we  already  have  a  solution  for  x  as 
x  —  y  + 1  and  x  should  therefore  have  been  eliminated. 
The  new  solution  x  =  y  —  4  contradicts  the  earlier  one, 
but  this  contradiction  goes  undetected  by  Shostak’s 
algorithm.  This  example  can  be  easily  adapted  to  show 
nontermination.  Consider 

f(v)  =  v,  f(u)  =  u  —  l,u  =  v  \~  false. 

The  merging  of  u  and  v  here  leads  to  the  detection  of 
the  congruence  between  f{u)  and  f(v).  This  leads  to 
solving  of  u  —  l  =  v  as  u  =  v  +  l.  Now,  the  algorithm 
merges  v  and  v  +  1.  Since  v  occurs  in  v  + 1,  this  causes 
v  +  1  to  be  merged  with  v  +  2,  and  so  on. 

An  earlier  paper  by  Cyrluk,  Lincoln,  and 
Shankar  [CLS96]  gave  an  explanation  (with  minor  cor¬ 
rections)  of  Shostak’s  algorithm  for  congruence  clo¬ 
sure  and  its  extension  to  interpreted  theories.  Though 
proofs  of  correctness  for  the  combination  algorithm  are 
briefly  sketched,  the  algorithm  presented  there  is  both 
incomplete  and  nonterminating.  Other  published  vari¬ 
ants  of  Shostak’s  algorithm  used  in  SVC  [BDL96]  and 
STeP  [Bjp99]  inherit  these  problems. 

In  this  paper,  we  present  an  algorithm  that  fixes  the 
incompleteness  and  nontermination  in  earlier  versions 
of  Shostak’s  algorithms.  In  the  above  example,  the  in¬ 
completeness  is  fixed  by  substituting  the  solution  for 
x  into  the  terms  representing  the  different  equivalence 
classes.  Thus,  when  f(x  —  1)  and  f(y)  are  detected  to 
be  congruent,  their  equivalence  classes  are  represented 
by  y  +  3  and  y  —  2,  respectively.  The  resulting  equality 
y  +  3  =  y  —  2  easily  yields  a  contradiction.  The  nonter¬ 
mination  is  fixed  by  ensuring  that  no  new  mergeable 
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terms,  such  as  v  +  2,  are  created  during  the  processing 
of  an  axiom  in  T.  Our  algorithm  is  presented  as  a  sys¬ 
tem  of  transformations  on  a  set  of  equalities  in  order  to 
capture  the  key  insights  underlying  its  correctness.  We 
outline  rigorous  proofs  for  the  termination,  soundness, 
and  completeness  of  this  procedure.  The  algorithm 
as  presented  here  emphasizes  logical  clarity  over  effi¬ 
ciency,  but  with  suitable  optimizations  and  data  struc¬ 
tures,  it  can  serve  as  the  basis  for  an  efficient  imple¬ 
mentation.  SRI’s  ICS  (Integrated  Canonizer/Solver) 
decision  procedure  package  [FORSOl]  is  directly  based 
on  the  algorithm  studied  here. 

Section  2  introduces  the  theory  of  equality,  which 
is  augmented  in  Section  3  with  function  symbols  from 
a  canonizable  and  solvable  theory.  Section  3  also  in¬ 
troduces  the  basic  building  blocks  for  the  decision 
procedure.  The  algorithm  itself  is  described  in  Sec¬ 
tion  4  along  with  some  example  hand-simulations.  The 
proofs  of  termination,  soundness,  and  completeness  are 
outlined  in  Section  5. 


2  Background 


With  respect  to  a  signature  consisting  of  a  set 
of  function  symbols  F  and  a  set  of  variables  V,  a 
term  is  either  a  variable  x  from  V  or  an  application 
/(ai,...,an)  of  an  n-ary  function  symbol  /  from  F 
to  n  terms  ai,...,an,  where  0  <  n.  The  metavari¬ 
able  conventions  are  that  u,  i?,  x,  y ,  and  2  range  over 
variables,  and  a,  6,  c,  d,  and  e  range  over  terms.  The 
metavariables  R,  S',  and  T,  range  over  sets  of  equali¬ 
ties.  The  metatheoretic  assertion  a  =  b  indicates  that 
a  and  b  are  syntactically  identical  terms.  Let  vars(a ), 
vars(a  =  6),  and  vars(T)  return  the  variables  occur¬ 
ring  in  a  term  a,  an  equality  a  =  b,  and  a  set  of  equal¬ 
ities  T,  respectively.  The  operation  [a]  is  defined  to 
return  the  set  of  all  subterms  of  a. 

Some  of  the  function  symbols  are  interpreted ,  i.e., 
they  have  a  specific  interpretation  in  some  given  theory 
r,  while  the  remaining  function  symbols  are  uninter¬ 
preted,  i.e.,  can  be  assigned  arbitrary  interpretations. 
A  term  /(ai,...,an)  is  interpreted  (uninterpreted)  if 
/  is  interpreted  (uninterpreted).  A  term  e  is  non- 
interpreted  if  it  is  either  a  variable  or  an  uninterpreted 
term.  We  say  that  a  term  a  occurs  interpreted  in  a  term 
e  if  there  is  an  occurrence  of  a  in  e  that  is  not  prop¬ 
erly  within  an  uninterpreted  subterm  of  e.  Likewise,  a 
occurs  uninterpreted  in  e  if  a  is  a  proper  subterm  of  an 
uninterpreted  subterm  of  e.  solvables(a)  denotes  the 
set  of  outermost  non-interpreted  subterms  of  a,  i.e., 


those  that  do  not  occur  uninterpreted  in  a. 

solvables(f(ax,...,an))  =  solvables(ai), 

if  /  is  interpreted 
solvables(a)  =  {a},  otherwise 

The  theory  of  equality  deals  with  sequents  of  the 
form  T  \~  a  =  b.  We  will  insist  that  these  sequents  be 
such  that  vars(a  =  b)  C  vars(T).  The  proof  theory 
for  equality  is  given  by  the  following  inference  rules. 

1.  Axiom:  ,  for  a  =  b  E  T. 

T  \~  a  =  b 


2.  Reflexivity:  -=n - . 

J  T  b  a  =  a 


3.  Symmetry: 


T  \~  a  =  b 
T  \-  b  =  a  ' 


4.  Transitivity: 


T  \~  a  =  b  T  \-  b  =  c 
T  b  a  =  c 


5.  Congruence: 

T  \~  ai  =  bi  . . .  T  \~  an  =  bn 
T\~  f(a1,...,an)  =  f{bi,...,bn) 

The  semantics  for  terms  is  given  by  a  model  M 
over  a  domain  D  and  an  assignment  p  for  the  vari¬ 
ables  so  that  M[x]p  =  p{x)  and  M[/(ai, . . . ,  an)]p  = 
M(/)(M[a1]p,...,M[an]p),  and  M{a\p  E  D  for  all 
a.  We  say  that  M,  p  |=  a  =  b  iff  M[a]p  =  M[6]p, 

and  M  |=  a  =  b  iff  M,  p  |=  a  =  b  for  all  assign¬ 

ments  p  over  vars{a  =  b).  We  write  M, p  |=  S 
when  Va,  b  :  a  =  b  e  S  D  M,  p  \=  a  =  b,  and 

M,  p  |=  T  b  a  =  b  when  (M,  p  |=  T)  D  (M,  p  |=  a  =  b). 


3  Canonizable  and  Solvable  Theories 

Shostak’s  algorithm  goes  beyond  congruence  closure 
by  deciding  equality  in  the  presence  of  function  sym¬ 
bols  that  are  interpreted  in  a  theory  r  [Sho84,  CLS96]. 
The  algorithm  is  targeted  at  canonizable  and  solvable 
theories,  i.e.,  theories  that  are  equipped  with  solvers 
and  canonizers  as  outlined  below.  We  write  |=r  a  =  b 
to  indicate  that  a  =  b  is  valid  in  theory  r.  The  canon- 
izer  and  solver  are  first  described  for  pure  r- terms,  i.e., 
without  any  uninterpreted  function  symbols,  and  then 
extended  to  uninterpreted  terms  by  regarding  these  as 
variables. 

Definition  3.1  A  theory  r  is  canonizable  if  there  is  a 
canonizer  a  such  that 
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1.  |=r  a  =  b  iff  a  (a)  =  a(b). 

2.  a(x)  =  x. 

3.  vars(a(a ))  C  vars(a). 

4.  a  (a  (a))  =  a  (a). 

5.  If  a  (a)  =  /(6i, . . .  ,bn),  then  a(bi)  =  bi  for  1  < 
i  <  n. 

For  example,  a  canonizer  a  for  the  theory  of  linear 
arithmetic  can  be  defined  to  transform  expressions  into 
an  ordered-sum-of-monomials  normal  form.  A  term  a 
is  said  to  be  canonical  if  a(a)  =  a. 

Definition  3.2  A  model  M  is  a  a  -model  if  M  |=  a  = 
a  (a)  for  any  term  a ,  and  M  |^=  a  =  b  for  distinct 
canonical ,  variable- free  terms  a  and  b. 

Definition  3.3  A  set  of  equalities  S  and  a  =  b  are 
cr-equivalent  iff  for  all  a -models  M  and  assignments  p 
over  the  variables  in  a  and  b,  M,  p  |=  a  =  b  iff  there 
is  an  assignment  p'  extending  p,  over  the  variables  in 
S,a,  and  b,  such  that  M,p'  |=  S. 

Definition  3.4  A  canonizable  theory  is  solvable  if 
there  is  an  operation  solve  such  that  solve(a  =  b)  =  _L 
if  a  —  b  is  unsatisfiable  in  any  a -model,  or  S  = 
solve(a  =  b)  for  a  set  of  equalities  S  such  that 

1.  S  is  a  set  of  n  equalities  of  the  form  X{  —  e*  for 
0  <  n  where  for  each  i,  0  <  i  <  n, 

(a)  Xi  G  vars(a  =  b). 

(b)  Xi  vars(ej),  for  j,  0  <  j  <  n. 

(c)  Xi  ^  Xj,  for  i  7^  j  and  0  <  j  <  n. 

(d)  cr(ei)  =  e*. 

2.  S  and  a  =  b  are  a -equivalent. 

A  solver  for  linear  arithmetic,  for  example,  takes  an 
equation  of  the  form 


lists,  set  algebra,  and  the  theory  of  fixed-sized  bit  vec¬ 
tors.  In  many  cases,  the  canonizability  and  solvabil¬ 
ity  of  the  union  of  theories  (with  disjoint  signatures) 
follows  from  the  canonizability  and  solvability  of  its 
constituent  theories.1  We  do  not  address  modularity 
issues  here  but  instead  assume  that  we  already  have  a 
canonizer  and  solver  for  a  single  combined  theory. 

The  solvers  and  canonizers  characterized  above  are 
intended  to  work  in  the  absence  of  uninterpreted  func¬ 
tion  symbols.  They  are  adapted  to  terms  containing 
uninterpreted  subterms  by  treating  these  subterms  as 
variables.  Canonizers  are  applied  to  terms  containing 
uninterpreted  subterms  by  renaming  distinct  uninter¬ 
preted  subterms  with  distinct  new  variables.  For  a 
given  term  a,  let  7  be  a  bijective  mapping  between  a 
set  of  variables  X  that  do  not  appear  in  a  and  the 
uninterpreted  subterms  of  a.  The  application  of  a  sub¬ 
stitution  7  to  a  term  a,  written  7 [a],  is  defined  so  that 
l[o]  =  /( 7[«i],---,7[«n])  if  a  =  f(ai,...,an),  where 
/  is  interpreted.  If  a  is  in  the  domain  of  7,  then 
7 [a\  =  7(a),  and  otherwise,  7 [a\  =  a.  Then  a(a)  is 
7[a(7-1[a])]. 

For  solving  equalities  containing  uninterpreted 
terms,  we  introduce,  as  with  cr,  a  bijective  map  7  be¬ 
tween  a  set  of  variables  X  not  occurring  in  a  or  b ,  and 
the  uninterpreted  subterms  of  a  and  b ,  such  that 

solve(a  =  b)  =  ^[solve^f-1  [a]  =  r)~1  [6])]  . 

When  uninterpreted  terms  are  handled  as  above,  the 
conditions  in  Definitions  3.1  and  3.4  must  be  suitably 
adapted  by  using  solvables(a)  instead  of  vars(a). 

The  proof  theory  for  equality  is  augmented  for  can¬ 
onizable,  solvable  theories  by  the  proof  rules: 


1.  Canonization 


2.  Solve: 


T  b  a  =  a(a) 

T  \-  a  =  b  T  U  S  \~  c  =  d 


for  any  term  a. 


if  S  = 


Thc  =  d 

solve(a  =  b)  7^  T  and  vars(c  =  d)  C  vars(T). 


c  +  a\X\  +  . . .  +  CLnxn  —  d  +  b\X\  +  . . .  +  bnxn , 

where  a\  f^b\,  and  returns 

Xi  =  cr(  (d  -  c)/{ai  -  bi) 

+  ((62  -  a2)/(a  1  -  61))  *x2 

+  ... 

+  {{K  ~  an)/{ai  -  61))  *  xn). 

In  general,  solve{a  =  b )  may  contain  variables  that  do 
not  occur  in  a  =  b,  and  vice-versa. 

There  are  a  number  of  interesting  canonizable  and 
solvable  theories  including  linear  arithmetic,  the  the¬ 
ory  of  tuples  and  projections,  algebraic  datatypes  like 


3.  Solve- T: 


T  \~  a  =  b 
T  F  false 


,  if  solve  (a 


b)  =  ±. 


A  sequent  T  b  c  =  d  is  derivable  if  there  is  a  proof 
of  T  b  c  =  d  using  one  of  the  inference  rules:  axiom, 
reflexivity,  symmetry,  transitivity,  congruence,  canon¬ 
ization,  solve,  or  solve- T.  We  say  that  T  b  S  is  deriv¬ 
able  if  T  b  c  =  d  is  derivable  for  every  c  =  d  in  S. 
The  sequent  T,  S  b  c  =  d  is  just  T  U  S  b  c  =  d.  The 
weakening  and  cut  lemmas  below  are  easily  verified. 

lrThe  general  result  on  combining  solvers  claimed  by 
Shostak  [Sho84]  is  incorrect,  but  there  are  some  restricted  re¬ 
sults  on  combining  equational  unifiers  [BS96]  that  can  be  applied 
here. 
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Lemma  3.5  (weakening)  If  T  C  T'  and  T  \~  a  =  b 

is  derivable,  then  T'  \~  a  =  b  is  derivable. 

Lemma  3.6  (cut)  If  T'  b  T  and  T  \~  a  =  b  is  deriv¬ 
able,  then  T'  \~  a  =  b  is  derivable. 

Theorem  3.7  (proof  soundness)  If  T  b  a  =  b  is 

derivable,  then  for  any  a-model  M  and  assignment  p 
over  vars(T),  M, p  |=  T  \~  a  =  b. 

Proof.  By  induction  on  the  derivation  of  T  b  a  = 
b.  The  soundness  of  the  solve  rules  follows  from  the 
conditions  in  Definition  3.4.  ■ 

A  set  of  equalities  5  is  said  to  be  functional  (in 
a  left-to-right  reading  of  the  equality)  if  whenever  a  = 
b  E  5  and  a  =  b'  E  5,  b  =  b' .  For  example,  the  solution 
set  returned  by  solve  is  functional.  A  functional  set 
of  equalities  can  be  treated  as  a  substitution  and  the 
associated  operations  are  defined  below.  5(a )  returns 
the  solution  for  a  if  it  exists  in  5 ,  and  a  itself,  otherwise. 
If  a  =  b  is  in  5  for  some  b ,  then  a  is  in  the  domain  of 
5,  i.e.,  dom(S). 

S(a)  —  /  ^  if  a  =  6  E  5 

'  '  \  a  otherwise 

dom(S)  =  {a  \  3b.  a  =  b  e  5}. 

s 

The  operation  a  ~  b  checks  if  a  is  congruent  to  b 
in  5,  i.e.,  a  =  f(a1, . . . ,  an),  b  =  /(6i,  . . . ,  bn),  and 
S(a,i)  =  S(bi)  for  1  <  i  <  n.  A  set  of  equalities  5  is 

said  to  be  congruence- closed  when  for  any  terms  a  and 

s 

b  in  dom(S)  such  that  a  ~  b,  we  have  S(a)  =  S(b). 

5 [a]  replaces  a  subterm  b  in  a  by  5(6),  where  b  E 
solvables(a). 

5[/(oi,...,a„)]  =  /(S'[ai],...,S'[a„]), 

if  /  is  interpreted 
S[a]  =  5(a),  otherwise. 

norm(S)(a)  is  a  normal  form  for  a  with  respect  to  5 
and  is  defined  as  cr(5[a]).  The  operation  norm  does  not 
appear  in  Shostak’s  algorithm  and  is  the  key  element 
of  our  algorithm  and  its  proof.  With  5  fixed,  we  use  a 
as  a  syntactic  abbreviation  for  norm(S)(a). 

norm(S)(a)  =  cr(5[a]). 

Lemma  3.8  If  solve(a  =  b)  =  5  ^  _L,  then 
norm(S)(a)  =  norm{S){b). 

Proof.  By  definitions  3.3  and  3.4(2),  for  any  a- 
model  M  and  assignment  p' ,  we  have  M,p'  |=  5  <(=> 
M,  p'  |=  a  =  6.  Let  a'  =  5 [a]  and  b'  =  5 [6].  By  induc¬ 
tion  on  a,  M,  p'  |=  a  =  a',  and  similarly  M,  p'  |=  b  =  6'. 


Hence,  M,  p'  |=  af  =  bf .  Then,  since  M  is  a  cr-model,  by 
Definition  3.2,  it  must  be  the  case  that  cr(a')  =  cr(fe') , 
and  therefore  norm(S)(a)  =  norm(S)(b).  u 

The  definition  of  the  lookup  operation  uses  Hilbert’s 
epsilon  operator,  indicated  by  the  keyword  when ,  to 
return  5(/(&i, . . . ,  6n))  when  &i, . . . ,  bn  satisfying  the 
listed  conditions  can  be  found.  If  no  such  &i, . . . ,  bn 
can  be  found,  then  lookup(S)(a)  returns  a  itself.  We 
show  later  that  the  lookup  operation  is  used  only  when 
the  results  of  this  choice  are  deterministic. 

lookup  (S)(f  {a an))  =  S(f(bi,...,bn )), 

when  bi , . . . ,  bn  : 

G  dom(S), 
and  a*  =  S(bi), 
for  1  <  i  <  n 
lookup (5) (a)  =  a,  otherwise. 

can{S){a)  is  a  canonical  form  in  which  any  uninter¬ 
preted  subterm  e  that  is  congruent  to  a  known  left- 
hand  side  e'  in  5  is  replaced  by  S(e').  It  is  analogous 
to  the  canon  operation  in  Shostak’s  algorithm.  We  use 
a  as  a  syntactic  abbreviation  for  can(S)(a). 

can(S){f{a1,...,an))  =  lookup  (S)  (/  («7, ... 

if  /  is  uninterpreted 

can(S)(f(a1,...,an))  =  ct(/(oT,  . . . ,  o^)), 

if  /  is  interpreted 
can{S){a)  =  5(a),  otherwise. 

Lemma  3.9  (cr-norm)  If  S  is  functional,  then 
norm{S){a{a))  =  a  and  can(S)(a(a))  =  ~d. 

Proof.  We  know  that  b  a  (a)  =  a.  Then  for  b'  = 
5[cr(a)]  and  b  =  5 [a],  the  equality  b'  =  b  is  valid  in 
every  cr-model.  Then  by  Definition  3.2,  cr(5[cr(a)])  = 
cr(5[a]),  and  hence  the  first  part  of  the  theorem. 

The  reasoning  in  the  second  part  is  similar.  If  we  let 
R  =  {b  =  b  |  b  E  [a]},  then  can(S)(a)  =  norm(R)(a). 
We  can  therefore  use  the  first  part  of  the  theorem  to 
establish  the  second  part.  ■ 

We  next  introduce  a  composition  operation  for 
merging  the  results  of  a  solve  operation  into  an  existing 
solution  set.  When  RoS  is  used,  5  must  be  functional, 
and  the  result  contains  a  =  b  for  each  equality  a  =  b 
in  R  in  addition  to  the  equalities  in  5. 

RoS  =  {a  =  b\a  =  beR}US. 

The  following  lemmas  about  composition  are  given 
without  proof. 

Lemma  3.10  (norm  decomposition)  If  R  U  5  is 

functional,  then 

norm(R  o  5)(a)  =  norm(S)(norm(R)(a)). 
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process({a  =  b,  T}) 

=  assert  (a  =  b,  process  (T)) 

process  (0) 

=  0. 

assert  (a  =  b,  _L) 

=  _L 

assert  (a  =  b,S) 

=  cc{merge{fd,  b,  5+)),  where, 
S+  =  expand(S ,~a,  b). 

expand(S ,  a,  b) 

=  S  U  {e  =  e  e  E  new(S ,  a,  b)} 

new{S ,  a,  b) 

=  [a  =  6]  —  dom(S). 

merge(a ,  b ,  S ) 

=  _L,if  solve{a  =  b)  =  T 

merge(a ,  b ,  S ) 

=  So  solve{a  =  b ),  otherwise. 

cc(_L) 

=  _L 

cc(S) 

=  cc(merge(S(a ),  S(b ),  5)), 
when  a,  b  : 
a,b  G  dom(S) 

a  ~  b,  and  S(a)  ±  S{b ) 

cc(S) 

=  S ,  otherwise. 

Figure  1:  Main  Procedure:  process 

Lemma  3.11  (associativity  of  composition)  If 

Q  U  RU  S  is  functional ,  then 

(QoR)oS  =  Qo(RoS). 

Lemma  3.12  (monotonicity)  IfRuS  is  functional, 
then  if  R(a)  =  R(b),  then  (R  o  S)  (a)  =  (R  o  S)(b),  for 
any  a  and  b. 

4  An  Algorithm  for  Deciding  Equality 
in  the  Presence  of  Theories 

We  next  present  an  algorithm  for  deciding  T  h  c  = 
d  for  terms  containing  uninterpreted  function  sym¬ 
bols  and  function  symbols  interpreted  in  a  canoniz- 
able  and  solvable  theory.  The  algorithm  for  verify¬ 
ing  T  b  c  =  d  checks  that  can(S)(c)  =  can(S)(d ), 
where  S  =  process (T).  The  process  procedure  shown 
in  Figure  1,  is  written  as  a  functional  program.  It  is 
a  mathematical  description  of  the  algorithm  and  not 
an  optimized  implementation.  The  state  of  the  algo¬ 
rithm  consists  of  a  set  of  equalities  S  which  holds  the 
solution  set.  We  demonstrate  as  an  invariant  that  S  is 
functional.  Two  terms  a  and  b  in  dom(S)  are  in  the 
same  equivalence  class  according  to  S  if  S(a )  =  S(b). 

The  operation  process  (T)  returns  a  final  solution 
set  by  starting  with  an  empty  solution  set  and  suc¬ 


cessively  processing  each  equality  a  =  b  in  T  by  in¬ 
voking  assert  (a  =  b,S),  where  S  is  the  state  as  re¬ 
turned  by  the  recursive  call  of  process.  The  invocation 
of  assert  (a  =  b,S)  is  executed  by  first  reducing  a  and 
b  to  their  respective  canonical  forms  a  and  b.  Next, 
S  is  expanded  to  include  e  =  e  for  each  subterm  e 
of  a  =  b  where  c  0  dom(S).  This  preprocessing  step 
ensures  that  S  contains  entries  corresponding  to  any 
terms  that  might  be  needed  in  the  congruence  closure 
phase  in  the  operation  cc.2  The  merge  operation  then 
solves  the  equality  a  =  b  to  get  a  solution3  S' ,  and 
returns  S  o  S'  as  the  new  value  for  the  state  S.  As 
we  will  show,  this  new  value  affirms  a  =  b,  but  it  is 
not  congruence-closed  and  hence  does  not  contain  all 
the  consequences  of  the  assertion  a  =  b.  The  step 
cc{S )  computes  the  congruence  closure  of  S  by  repeat¬ 
edly  picking  a  pair  of  congruent  terms  a  and  b  from 
dom(S)  such  that  S(a)  ^  S(b)  and  merging  them  us¬ 
ing  merge(S(a),  S(b),  S).  Eventually  either  a  contra¬ 
diction  is  found  or  all  congruent  left-hand  sides  in  S 
are  merged  and  the  cc  operation  terminates  returning 
a  congruence-closed  solution  set. 

The  above  algorithm  fixes  the  nontermination  and 
incompleteness  problems  in  Shostak’s  algorithm  by  in¬ 
troducing  the  norm  operation  and  the  composition  op¬ 
erator  R  o  S  to  fold  in  a  solution.  The  norm  opera¬ 
tion  ensures  that  no  new  uninterpreted  terms  are  in¬ 
troduced  during  congruence  closure  in  the  function  cc, 
as  is  needed  to  guarantee  termination.  The  composi¬ 
tion  operator  R  o  S  ensures  that  any  newly  generated 
solution  S  is  immediately  substituted  into  R  and  the 
algorithm  never  attempts  to  find  a  solution  for  an  al¬ 
ready  solved  non-interpreted  term. 

We  first  illustrate  the  algorithm  on  some  examples. 
The  first  example  contains  no  interpreted  symbols. 

Example  4.1  Consider  the  goal  /5(x)  =  x,/3(x)  = 
x  b  /(x)  =  x.  The  value  of  S  after  the  base  case  is 
0.  After  the  preprocessing  of  /3(x)  =  x  in  assert ,  S 
is  {x  =  x,/(x)  =  /(x),/2(x)  =  /2(x),/3(x)  =  f3(x)}. 
After  merging  /3(x)  and  x,  S  is  {x  =  x,/(x)  = 
f(x)J2(x)  =  f2(x)J3(x)  =  x}.  When  /5(x)  =  x 
is  preprocessed  in  assert ,  can(S)(f5 (x))  yields  f2(x) 
since  S(f3(x))  =  x,  and  S  is  left  unchanged.  When 
/2(x)  and  x  have  been  merged,  S  is  {x  =  x,/(x)  = 

/(x),/2(x)  =  x,  f3 (x)  =  x}.  Now  /(x)  £  f3 (x) 
and  hence  /(x)  and  x  are  merged  so  that  S  is  now 
{x  =  x,  /(x)  =  x,  f2 (x)  =  x,  f3 (x)  =  x}. 

2  Actually,  the  interpreted  subterms  of  a  =  b  need  not  all  be 
included  in  dom(S).  Only  those  that  are  immediate  subterms  of 
uninterpreted  subterms  in  a  =  b  are  needed. 

3 Any  variables  occurring  in  solve(a  =  b)  and  not  in  vars(a  = 
b)  must  be  fresh,  i.e.,  they  must  not  occur  in  the  original  con¬ 
jecture  or  be  generated  by  any  other  invocation  of  solve. 
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The  conclusion  f(x)  =  x  easily  follows  since 
can(S)(f  (x))  =  x  =  can(S)(x). 

Example  4.2  Consider  y  +  l  =  X,  f(y)  +  1  =  y  - 
1,  f(x  —  1)  —  l  =  x  +  lb  false  which  is  a  permutation 
of  our  earlier  example.  Starting  with  5  =  0  in  the 
base  case,  the  preprocessing  of  f(x  —  1)  —  1  =  x  +  1 
causes  the  equation  to  be  placed  into  canonical  form 
as  —  1  +  /(— 1  +  x)  =  1  +  x  and  5  is  set  to 

{  1  =  1,  —  1  =  —  1,  x  =  x,  —  1  +  x  =  —  1  +  x, 

/(- 1  +  x)  =  /(-l  +  x),  1  +  X  =  1  +  x}. 

Solving  — 1  +  /(— 1+x)  =  1+x  yields  /(—1+x)  =  2+x, 
and  5  is  set  to 

{  1  =  1,  —  1  =  —  1,  x  =  x,  —  1  +  x  =  —  1  +  x, 

/(— 1  +  x)  =  2  +  X,  1  +  X  =  1  +  x}. 

No  unmerged  congruences  are  detected.  Next,  f(y)  + 
1  =  y  —  1  is  asserted.  Its  canonical  form  is  1  +  f(y)  = 

—  1  +  ^/,  and  once  this  equality  is  asserted,  the  value  of 
5  is 

{  1  =  1,  —  1  =  —  1,  x  =  x,  —  1  +  x  =  —  1  +  x, 

/(- 1  +  x)  =  2  +  X,  1  +  x  =  1  +  x,2/  =  2/, 

/(y)  =  -2  +  y,  -l  +  y  =  -l  +  y, 
i  +  /(y)  =  -i  +  y}- 

Next  y  +  1  =  x  is  processed.  Its  canonical  form  is 
1  +  y  =  x  and  the  equality  1  +  2/  =  1  +  2/ is  added  to  5. 
Solving  2/  +  1  =  x  yields  x  =  1  +  y,  and  5  is  reset  to 

{  1  =  1,-1  =  -l,x  =  1  +y,-l  +  X  =  y, 

/(  — 1  +  x)  =3  +  y,l  +  x  =  2  +  y,y  =  y, 

f(y)  =  -2  +  y,  -l  +  y  =  -l  +  y, 

1  +  /(y)  =  -1  +  y,  1  +  y  =  1  +  y}- 

The  congruence  close  operation  cc  detects  the  congru- 

s 

ence  /(I  -  y)  f(x)  and  invokes  merge  on  3  +  y  and 

—  2  +  2/.  Solving  this  equality  3  +  2/  =  —  2  +  2/  yields  T 
returning  the  desired  contradiction. 

5  Analysis 

We  describe  the  proofs  of  termination,  soundness, 
and  completeness,  and  also  present  a  complexity  anal¬ 
ysis. 

Key  Invariants.  The  merge  operation  is  clearly  the 
workhorse  of  the  procedure  since  it  is  invoked  from 
within  both  assert  and  cc.  Let  U(X)  represent  the  set 
{a  e  X  \  a  uninterpreted}  of  uninterpreted  terms  in 
the  set  X.  Let  A  be  solvables(a ),  B  be  solvables(b ), 


and  S'  =  merge(a ,  6,  5),  then  assuming  U(A  U  B)  C 
dom(S)  and  for  all  c  E  A  U  5,  5(c)  =  c,  the  following 
properties  hold  of  S'  if  they  hold  of  5: 

1.  Functionality. 

2.  Subterm  closure:  5  is  subterm- closed  if  for  any 
a  G  dom(S ),  [a]  C  dom(S). 

3.  Range  closure:  5  is  range-closed  if  for  any  a  G 
dom(S ),  U(solvables(S(a)))  C  dom(S ),  and  for 
any  c  G  solvables(S(a))J  5(c)  =  c. 

4.  Norm  closure:  5  is  norm-closed  if  5(a)  = 

norm (S) (a)  for  a  in  dom(S).  This  of  course  holds 
trivially  for  uninterpreted  terms  a. 

5.  Idempotence:  5  is  idempotent 

if  5[5(a)]  =  5(a),  norm(S)(S(a))  =  5(a),  and 
norm(S)(norm(S)(a))  =  norm(S)(a). 

These  properties  can  be  easily  established  by  in¬ 
spection.  Since  whenever  merge(a,b,  S)  is  invoked  in 
the  algorithm,  the  arguments  do  satisfy  the  conditions 
U(A  U  B)  C  dom(S)  and  for  all  c  G  A  U  B,  5(c)  =  c, 
it  then  follows  that  these  properties  are  also  preserved 
by  assert  and  cc,  and  therefore  hold  of  process  (T).  We 
assume  below  that  these  invariants  hold  of  5  whenever 
the  metavariable  5  is  used  with  or  without  subscripts 
or  superscripts. 

Lemma  5.1  (merge  equivalence)  Let 

A  =  solvables(a)  and  B  =  solvables(b).  Given  that 
U(AU  B)  C  dom(S)  and  for  all  c  e  AU  B,  5(c)  =  c, 
if  S'  =  merge(a ,  6,  5)  ^  _L,  then 

1.  norm  (S')  (a)  =  norm(S')(b). 

2.  U (dom(S'))  =  U (dom(S)). 

Proof.  Let  R  =  solve(a  =  6).  By  definition, 
merge(a ,  b,  S)  =  S  o  R.  By  Lemma  3.8,  norm(R)(a)  = 
norm(R)(b).  Since  5(c)  =  c  for  c  G  A  U  B, 
norm (S) (a)  =  a  and  norm(S)(b)  =  b.  Hence,  by  norm 
decomposition ,  we  have  norm  (S')  (a)  =  norm(S')(b). 

By  Definition  3.4,  dom(R)  C  4  U  5,  hence 
U  (dom(S'))  =  U(dom(S)).  ■ 

Termination.  We  define  #(5)  to  represent  the 
number  of  distinct  equivalence  classes  partitioning 
U (dom(S))  as  given  by  P(S). 

E(S)(a)  =  {be  U (dom(S))  \  5(6)  =  5(a)} 

P(5)  =  {£(5)(a)  |  a  G  t/(dom(5))} 

#(S)  =  X0S)l 
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The  definition  of  cc(5)  terminates  because  the  mea¬ 
sure  #(S)  decreases  with  each  recursive  call.  If 
in  the  definition  of  cc,  merge(S(a),  5(6),  5)  =  _L, 
then  clearly  cc  terminates.  Otherwise,  let  S'  = 

merge(S(a),  S(b),  5 )  7^  _L,  for  a  and  b  in  dom(S)  such 

s 

that  S(a )  ^  5(6)  and  a  ~  b.  In  this  case  a  and  b  must 

be  uninterpreted  terms  since  for  interpreted  terms  a 

s 

and  6,  if  a  ~  6,  then  5(a)  =  5(6)  by  norm  closure.  By 
merge  equivalence ,  norm(S')(S(a))  =  norm(S')(S(b)) 
and  U(dom(S'))  =  U(dom(S)).  By  monotonicity , 
for  any  c  and  d  such  that  5(c)  =  5(d),  we  have 
5'(c)  =  5(d),  and  therefore  #(5')  <  #(5).  However, 
by  norm  closure ,  5' (a)  =  5' (6)  so  that  #(5')  <  #(5). 

Soundness.  The  following  lemmas  establish  the 
soundness  of  the  operations  norm  and  can  with  re¬ 
spect  to  5.  Substitution  soundness  and  can  soundness 
are  proved  by  a  straightforward  induction  on  a,  and 
norm  soundness  is  a  simple  consequence  of  substitu¬ 
tion  soundness. 

Lemma  5.2  (substitution  soundness) 

If  vars(a)  C  vars{T  U  5),  then  T,S  \~  a  =  a'  is  deriv¬ 
able ,  for  a1  =  S[a\. 

Lemma  5.3  (norm  soundness) 

If  vars(a)  C  vars(T  U  5),  then  T,  5  b  a  =  a  is  deriv¬ 
able. 

Lemma  5.4  (can  soundness) 

If  vars(a)  C  vars(T  U  5),  then  T,  5  b  a  =  a  is  deriv¬ 
able. 

Lemma  5.5  (merge  soundness) 

If  S'  =  merge(a ,  6,  5)  7^  _L,  then  if  T,  5  b  a  =  b,  and 
T,  S'  \~  c  =  d  with  vars(c  =  d)  C  vars(T  U  5),  t/mn 
T,5  h  c  =  d.  Otherwise ,  merge(a,b,  5)  =  _L,  and 
T,S  hi. 

Proof.  If  5'  =  merge(a,b,  S)  7^  _L,  then  let  X  = 
solve(a  =  6).  By  norm  soundness ,  5,  X  b  5',  and 
hence  by  ctd,  X,  5,  X  b  c  =  d  is  derivable.  By  the  solve 
rule,  T,  5  b  c  =  d  is  derivable. 

If  merge(a ,  6,5)  =  _L,  then  by  similar  reasoning  us¬ 
ing  the  sa/ve-A  rule,  T,  5  b  false  is  derivable.  ■ 

Lemma  5.6  (cc  soundness)  If  S'  =  cc(5)  7^  _L, 
T,  S'  b  a  =  6  for  vars(a  =  6)  C  vars(T,S ),  then 
T,  5  b  a  =  6  is  derivable.  Otherwise,  cc(5)  =  _L,  and 
S  b  false  is  derivable. 

Proof.  By  computation  induction  on  the  definition 
of  cc  using  merge  soundness.  u 


Lemma  5.7  (process  soundness) 

If  5  =  process^Tt)  7^  _L,  Xi  C  X2;  and  X2,5  b  c  = 
d  for  vars(c  =  d)  C  vars(T2),  then  c  —  d  is 

derivable.  Otherwise,  process(T x)  =  _L,  and  T\  b  false 
is  derivable. 

Proof.  By  induction  on  the  length  of  Xi.  In  the 
base  case,  5  is  empty  and  the  theorem  follows  triv¬ 
ially.  In  the  induction  step,  with  Xi  =  {a  =  6,  X/}  and 
S'  =  process  (X^),  we  have  the  induction  hypothesis 
that  X2  b  c  =  d  is  derivable  if  X2 , 5'  b  c  =  d  is  deriv¬ 
able,  for  any  c,  d  such  that  vars(c  =  d)  C  vars(T2). 
We  know  by  can  soundness  that  X2,5'  b  a  =  a  and 
X2,5'  b  6  =  6  are  derivable.  When  S’  is  augmented 
with  identities  over  subterms  of  a  and  6  to  get  5/+ ,  we 
have  the  derivability  of  X2,  S'  b  5/+.  By  cc  soundness , 
we  then  have  the  derivability  of  X2 , 5/+  b  c  =  d  from 
that  of  X2,  5  b  c  =  d.  The  derivability  of  X2,  S'  b  c  =  d 
then  follows  by  cnt  from  that  of  X2 , 5/+  b  c  =  d,  and 
we  get  the  conclusion  X2  b  c  =  d  by  the  induction 
hypothesis. 

A  similar  induction  argument  shows  that  when 
process{T x)  =  _L,  then  X2  b  false.  u 

Theorem  5.8  (soundness)  If  5  =  process(T)  7^  _L, 
vars(a  =  6)  C  vars(X),  and  a  =  b,  then  T  \~  a  =  b  is 
derivable.  Otherwise,  process(T)  =  _L,  and  X  b  false 
is  derivable. 

Proof.  If  5  =  process(T)  7^  _L,  then  by  can  sound¬ 
ness ,  X,  5  b  a  =  a  and  X,  5  b  6  =  6  are  derivable. 
Hence,  by  transitivity  and  symmetry,  X,  5  b  a  =  6  is 
derivable.  Therefore,  by  process  soundness ,  X  b  a  =  6 
is  derivable. 

If  process(T)  =  X,  then  already  by  process  sound¬ 
ness,  X  b  false.  u 

Completeness.  We  show  that  when  5  =  process(T) 
then  can(S)  is  a  cr-model  satisfying  X.  When  this  is 
the  case,  completeness  follows  from  proof  soundness. 
In  proving  completeness,  we  exploit  the  property  that 
the  output  of  process  is  congruence-closed. 

Lemma  5.9  (confluence) 

If  S  is  congruence- closed  and  [/(Ml)  C  dom(S),  then 
can(S)(a)  =  norm(S)(a). 

Proof.  The  proof  is  by  induction  on  a.  In  the 
base  case,  when  a  is  a  variable,  can(S)(a)  =  5(a)  = 
norm(S)(a). 

If  a  is  uninterpreted  and  of  the  form  /(ai, . . . ,  an), 
then  can(S)(a)  =  lookup (5) (/ (a7, . . . ,  aX)).  Since  5  is 
subterm- closed,  by  the  induction  hypothesis  and  norm 
closure ,  we  have  ai  =  di  =  S(ai)  for  0  <  i  <  n.  Then 
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there  must  be  some  b  of  the  form  f(bi,  ...,bn)  such 
that  S(bi)  =  S(di ),  for  0  <  i  <  n,  since  a  itself  is  such 
a  b.  Then  by  congruence  closure  and  norm  closure , 
a  =  S(b)  =  S(a)  =  a,  since  a  ~  b. 

If  a  is  interpreted,  by  the  induction  hypothe¬ 
sis  and  subterm  closure ,  a  =  a(f{ai,...,cRf))  = 

cr(/(ai, . .  .,fln))  =  a.  ■ 

Lemma  5.10  (can  composition)  If  S'  =  S  o  R  and 

S'  is  congruence- closed,  then  can  (S')  (can  (S)  (a))  = 
can(S')(a) . 

Proof.  By  induction  on  a.  When  a 

is  a  variable.  can(S)(a)  =  S(a).  If  a  0 

dom(S ),  then  S(a)  =  a,  and  hence  the  conclu¬ 
sion.  Otherwise,  by  range-closure,  t/([5(a)])  C 
dom(S)  C  dom(S').  Then,  by  confluence ,  norm 
decomposition ,  and  idempotence ,  can(S')(S(a))  = 

norm  (5')  (5(a))  =  norm(R)(norm(S)(S(a )))  = 
norm(R)(norm(S)(a))  =  norm  (S')  (a)  =  can(S')(a). 

In  the  induction  step,  let  a  =  /(ai, . . . ,  an).  If  a  is 
uninterpreted,  then  if 

/(oT,  •  •  •  )fl»)  ~  f(bi,...,bn) 

for  some  f(b\,...,bn)  G  dom(S ),  then  a  = 
S(f(b\,...,bn)).  The  reasoning  used  in  the  base 
case  can  then  be  repeated  to  derive  the  conclusion. 
Otherwise,  a  =  /(oT,  ...,aT)  and  by  the  induction 
hypothesis  and  the  definition  of  can ,  can  (S')  (a)  = 
lookup (S')(f  (can (S') (ax ), . . . ,  can(S")(an)))  = 

can(S")(a). 

When  a  is  interpreted,  by  the  induction  hypothesis 
and  the  a-norm  lemma, 

can(S')(a) 

=  can(S’)(a(f(W,---,a^))) 

=  a(f  (can(S')(W),  •  •  • ,  can(S')(a^))) 

=  can  (S')  (a). 

■ 

Lemma  can  composition  with  0  for  R  yields  the 
idempotence  of  can(S)  for  congruence-closed  S  so  that 
we  can  define  a  cr-model  Ms  in  terms  of  can(S).  The 
domain  D  of  Ms  consists  of  {a\can(S)(a)  =  a}.  The 
mapping  of  functions  is  such  that  Ms(f)(s-i, . . . ,  an)  = 
lookup (S) (f  ( ai, . . .  ,an)),  if  /  is  uninterpreted.  If  /  is 
interpreted  Ms(f)(  ai,...,an)  =  cr(/(ai, . . . ,  an)).  If 
p[x\  =  p(x)  and  p[f(a1,...,an)\  =  f(p[a±\, . . . , p[an]), 
then  by  the  idempotence  of  can(S ),  ¥5(0]^  is  just 
can(S)(p[a\) .  Lemma  cr-norm  can  then  be  used  to  show 
Ms  |=  cr(a)  =  a.  Ms  is  therefore  a  cr-model.  Corre¬ 
spondingly,  for  a  given  set  of  variables  X,p$  is  defined 
so  that  pig  (x)  =  can(S)(x)  for  x  e  X. 


Lemma  5.11  (can  cr-model)  If  S  =  process (T)  ^ 
¥  and  X  =  vars(T),  then  Ms,ps  |=  a  =  b  for  any 
a  —  b  G  T . 

Proof.  Showing  that  Ms,Ps  |=  a  =  b  is  the 
same  as  showing  that  can(S)(a)  =  can(S)(b).  The 
proof  is  by  induction  on  T.  In  the  base  case,  T 
is  empty.  In  the  induction  step,  T  =  {a  =  b,  T'} 
with  X'  =  vars(T').  Let  S'  =  process (T').  By 
the  induction  hypothesis,  Ms>jPs>  |=  T' .  With 
S'+  =  expand (S,  a' ,b')  for  a'  =  can(S')(a)  and  b'  = 
can(S')(b ),  let  So  =  merge(a,  b,  S/+),  hence  by  merge 
equivalence ,  norm(So)(a')  =  norm(So)(b').  By  asso¬ 
ciativity  of  composition,  it  can  be  shown  that  there 
is  an  R  such  that  S  =  So  0  R  and  an  R'  such  that 
S  =  S/+  o  it¥  Hence  by  monotonicity,  norm(S)(a')  = 
norm(S)(b').  Since  S  is  congruence-closed,  by  con¬ 
fluence ,  can(S)(a')  =  norm(S)(a')  and  can(S)(b')  = 
norm(S)(b').  Hence,  can(S)(a')  =  can(S)(b'). 

It  can  also  be  shown  that  can(S/+)(a)  =  can  (S')  (a), 
and  similarly  for  b.  Therefore,  by  can  composition ,  we 
have  can(S)(a)  =  can(S)(b ),  and  hence  M5 ,  |=  a  = 

6.  A  similar  argument  shows  that  for  c  =  d  G  T',  since 
can(S')(c)  =  can(S')(d ),  we  also  have  can(S)(c)  = 
can(S)(d).  ■ 

When  T  b  false  is  derivable,  we  know  by  proof 
soundness  that  there  is  no  cr-model  satisfying  T  and 
hence  by  the  can  a -model  lemma,  process (T)  must  be 
¥. 

Theorem  5.12  (completeness) 

If  S  =  process (T)  ^  ¥  and  T  \~  a  =  b,  then 
can(S)(a)  =  can(S)(b). 

Proof.  Since  Ms,Ps  |=  T  by  can  cr-model  for  X  = 
vars(T ),  we  have  by  proof  soundness  that  can(S)(a)  = 
can(S)(b).  u 

Complexity.  We  have  already  seen  in  the  termina¬ 
tion  argument  that  the  number  of  iterations  of  cc  in 
process  is  bounded  by  the  number  of  distinct  equiv¬ 
alence  classes  of  terms  in  dom(S)  which  is  no  more 
than  the  number  of  distinct  uninterpreted  terms.  We 
will  assume  that  the  solve  operation  is  performed  by 
an  oracle  and  that  there  is  some  fixed  bound  on  the 
size  of  the  solution  set  returned  by  it.  In  the  case  of 
linear  arithmetic,  the  solution  set  has  at  most  one  el¬ 
ement.  Let  n  represent  the  number  of  distinct  terms 
appearing  in  T  which  is  also  a  bound  on  \S\  and  on 
the  size  of  the  largest  term  appearing  in  S.  The  com¬ 
position  operation  can  be  implemented  in  linear  time. 
Thus  the  entire  algorithm  has  0(n 2)  steps  assuming 
that  the  a  and  solve  operations  are  length-preserving 
and  ignoring  the  time  spent  inside  solve. 
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6  Conclusions 


Shostak’s  decision  procedure  for  equality  in  the 
presence  of  interpreted  and  uninterpreted  functions 
is  seriously  flawed.  It  is  both  incomplete  and  non¬ 
terminating,  and  hence  not  a  decision  procedure.  All 
subsequent  variants  of  Shostak’s  algorithm  have  been 
similarly  flawed.  This  is  unfortunate  because  decision 
procedures  based  on  Shostak’s  algorithm  are  at  the 
core  of  a  number  of  widely  used  verification  systems. 
We  have  presented  a  correct  algorithm  that  captures 
Shostak’s  key  insights,  and  described  proofs  of  termi¬ 
nation,  soundness,  and  completeness. 
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Abstract.  Decision  procedures  for  combinations  of  theories  are  at  the 
core  of  many  modern  theorem  provers  such  as  ACL2,  Ehdm,  PVS,  SIM¬ 
PLIFY,  the  Stanford  Pascal  Verifier,  STeP,  SVC,  and  Z/Eves.  Shostak,  in 
1984,  published  a  decision  procedure  for  the  combination  of  canonizable 
and  solvable  theories.  Recently,  Ruess  and  Shankar  showed  Shostak’s 
method  to  be  incomplete  and  nonterminating,  and  presented  a  correct 
version  of  Shostak’s  algorithm  along  with  informal  proofs  of  termination, 
soundness,  and  completeness.  We  describe  a  formalization  and  mechan¬ 
ical  verification  of  these  proofs  using  the  PVS  verification  system.  The 
formalization  itself  posed  significant  challenges  and  the  verification  re¬ 
vealed  some  gaps  in  the  informal  argument. 


1  Introduction 

Decision  procedures  play  an  important  role  in  a  number  of  areas  such  as  auto¬ 
mated  deduction,  computer-aided  verification,  and  constraint  solving.  Since  bugs 
in  decision  procedures  can  lead  to  unsound  inferences,  it  is  natural  to  ask  if  such 
verification  tools  can  themselves  be  verified.  We  present  here  the  first  instance 
of  a  verified  decision  procedure  for  a  combination  of  theories  based  on  Shostak’s 
ideas.  Shostak’s  algorithm  [Sho84]  for  building  decision  procedures  for  the  union 
of  canonizable  and  solvable  equational  theories  has  been  widely  used  despite 
the  lack  of  a  convincing  correctness  proof.  Recently,  Ruess  and  Shankar  [RS01] 
showed  that  this  algorithm  (even  with  minor  flaws  corrected  [CLS96])  was  both 
nonterminating  and  incomplete.  They  gave  a  corrected  version  of  the  algorithm 
along  with  informal  proofs  for  termination,  soundness,  and  completeness.  We 
undertook  the  challenge  of  formalizing  and  verifying  these  informal  arguments 
using  the  PVS  verification  system  [ORS92].  The  results  of  our  verification  are 
presented  here  along  with  observations  regarding  the  challenges  that  we  encoun¬ 
tered  in  the  formalization  and  verification  process. 

*  This  work  was  funded  by  NSF  Grant  CCR-0082560,  DARPA/AFRL  Contract 
F33615-00-C-3043,  and  NASA  Contract  NAS  1-00079.  Sam  Owre,  Harald  RueB,  and 
John  Rushby  of  SRI  provided  insightful  comments  on  earlier  drafts.  We  thank  the 
anonymous  referees  for  their  constructive  criticism. 
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The  correctness  of  decision  procedures  has  been  an  important  theme  in  au¬ 
tomated  reasoning.  Several  approaches  have  been  developed  for  using  decision 
procedures  to  gain  efficiency  in  proof  construction  without  compromising  sound¬ 
ness.  The  LCF  approach  [GMW79]  admits  only  those  decision  procedures  that 
can  be  introduced  as  tactics ,  which  are  metalanguage  operations  for  reducing 
proof  goals  to  subgoals  in  a  way  that  is  justifiable  in  terms  of  the  primitive  infer¬ 
ences  of  the  object  logic.  Tactics  can  be  hard  to  define  (since  they  have  to  mimic 
proof  steps)  and  inefficient  (since  they  have  to  generate  low-level  inference  steps). 
The  generation  of  proof  objects  from  finished  proofs  is  another  way  of  ensuring 
that  each  proof  can  be  constructed  using  only  the  primitive  inference  steps.  The 
construction  of  proof  objects  even  from  finished  proofs  can  be  inefficient  in  both 
time  and  space. 

In  order  to  avoid  the  inefficiency  of  fully  expansive  proof  generation,  a  num¬ 
ber  of  researchers  have  advocated  the  verification  of  decision  procedures.  Boyer 
and  Moore  [BM81]  introduce  a  notion  of  metafunctions,  i.e.,  function  definitions 
in  the  object  logic  that  could  be  applied  to  object  logic  expressions.  They  use 
computational  reflection  to  capture  the  meanings  of  these  expressions  in  the 
object  logic  and  verify  the  soundness  of  some  simple  derived  inference  rules  in 
this  manner.  Boyer  and  Moore  [BM79]  also  verified  the  semantic  correctness  of 
a  tautology  checker  for  conditional  expressions.  Shankar  [Sha85]  verified  both 
the  semantic  and  proof-theoretic  correctness  of  a  tautology  checker  for  proposi¬ 
tional  logic.  Some  recent  examples  of  verified  decision  procedures  include  a  Coq 
verification  of  a  Grobner  basis  algorithm  for  membership  in  polynomial  ideals 
by  Thery  [The98],  the  verification  of  ordered  binary  decision  diagram  (OBDD) 
operations  using  PVS  by  von  Henke,  Pfab,  Pfeifer,  and  Ruess  [vHPPR98],  and  a 
similar  Coq  verification  of  OBDD  operations  by  Verma  and  Goubault  [VGLOO]. 
Both  the  algorithm  and  the  theory  underlying  the  combination  decision  pro¬ 
cedure  considered  here  are  significantly  more  complex  than  these  previously 
verified  decision  procedures. 

The  primary  contribution  of  our  work  is  in  demonstrating  the  feasibility  of  for¬ 
mally  verifying  complex  decision  procedures.  The  variant  of  Shostak’s  algorithm 
we  have  verified  is  quite  recent  and  its  foundations  are  not  widely  understood. 
Our  verification  closely  follows  the  published  informal  proof  [RS01]  so  that  we 
could  directly  assess  its  validity.  We  also  used  details  from  an  unpublished  re¬ 
port  that  included  proofs  of  some  of  the  lemmas  that  were  given  without  proof 
in  the  published  paper.  The  verification  exposed  some  gaps  in  the  informal  ar¬ 
gument.  We  found  a  monotonicity  claim  in  the  informal  argument  to  be  false 
without  qualification,  but  only  the  qualified  form  was  actually  used.  A  step  that 
is  hinted  at  as  being  routine,  turned  out  to  not  be  all  that  obvious.  In  the  algo¬ 
rithm,  any  solution  returned  by  the  solver  must  contain  variables  that  are  either 
from  the  given  equality  or  are  “fresh”.  Making  the  notion  of  freshness  precise, 
and  working  with  this  constraint  proved  to  be  one  of  the  major  challenges  in  the 
formal  verification.  The  verification  makes  very  heavy  use  of  the  PVS  type  sys¬ 
tem.  Our  use  of  PVS  types  exposed  some  of  the  weaknesses  in  a  type  propagation 
feature  of  the  language  called  typing  judgements. 
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Since  PVS  itself  employs  Shostak’s  method  (with  the  incompleteness  and  non¬ 
termination  bugs),  the  validity  of  this  verification  might  be  called  into  question. 
However,  the  Shostak  procedure  used  in  PVS  is  not  known  to  be  unsound.  Fu¬ 
ture  versions  of  PVS  will  employ  the  ICS  decision  procedures  [FORSOl]  that  are 
based  on  the  theory  verified  here.  Despite  the  circularity  between  the  verifier 
and  the  verified  program,  this  kind  of  verification  is  still  quite  useful.  An  unsuc¬ 
cessful  proof  attempt  might  reveal  significant  bugs.  A  successful  verification  of 
the  decision  procedures  could  be  certified  through  proof-object  generation  but 
subsequently  used  without  the  supporting  proof  objects. 

The  decision  procedure  as  verified  here  is  not  executable,  but  it  is  possible  to 
derive  a  verified,  executable  version  that  can  be  turned  into  efficient  Common 
Lisp  code  [Sha99].  The  code  generated  from  the  verified  decision  procedure  is 
unlikely  to  be  as  efficient  as  the  highly  optimized  ICS  implementation,  but  it 
could  still  be  used  as  a  reference  procedure  that  can  be  invoked  when  certified 
results  are  needed. 

We  verify  both  soundness  and  completeness.  The  completeness  property  is 
crucial.  Higher-level  simplification  routines  might  diverge  or  behave  erroneously 
if  they  incorrectly  assume  completeness.  Due  to  its  complexity  and  popularity, 
the  verification  of  Shostak’s  algorithm  is  a  good  case-study  for  assessing  the 
feasibility  of  certifying  decision  procedures. 


2  Shostak’s  Algorithm 

We  focus  here  on  the  verification  of  a  decision  procedure  for  equational  theo¬ 
ries  where  terms  are  constructed  from  a  combination  of  interpreted  and  uninter¬ 
preted  function  symbols.  There  are  two  basic  methods  for  building  decision  pro¬ 
cedures  for  combinations  of  disjoint  theories.  Nelson  and  Oppen’s  method  [NOT9] 
combines  decision  procedures  for  the  individual  theories  by  allowing  them  to 
share  specific  kinds  of  equality  information.  Shostak’s  method  [Sho84]  extends 
congruence  closure  to  equational  theories  that  are  canonizable  and  solvable.  Nel¬ 
son  and  Oppen’s  method  is  more  generally  applicable,  but  Shostak’s  method  has 
certain  advantages.  It  is  an  online  algorithm,  i.e.,  processes  inputs  incrementally, 
so  that  the  term  universe  for  the  input  is  not  known  in  advance.  It  also  yields 
a  useful  function  for  computing  a  canonical  form  respecting  the  given  input 
equalities. 

All  formulas  are  equalities  between  terms  which  are  constructed  from  vari¬ 
ables  by  means  of  n-ary  function  application  for  n  >  0.  Sequents  of  the  form 
T  F  a  =  b  assert  the  implication  between  the  antecedent  equalities  in  the  set  T 
and  the  consequent  equality  a  =  b.  The  basic  theory  of  equality  with  all  func¬ 
tion  symbols  uninterpreted,  i.e.,  without  any  fixed  interpretation,  is  decidable 
by  means  of  congruence  closure.  Shostak’s  algorithm  extends  the  congruence 
closure  decision  procedure  to  handle  interpreted  operations  from  a  canonizable 
and  solvable  theory.  Informally,  a  theory  is  canonizable  if  there  is  a  canonizer 
operation  a  such  that  a  (a)  =  a(b)  exactly  when  a  =  b  is  valid  in  the  theory.  It 
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is  solvable  if  there  is  an  operation  solve  such  that  solve(a  =  b )  either  returns  _L 
when  a  =  b  is  unsat isfiable,  or  a  solved  form  S  that  is  equivalent  to  a  =  b. 

Shostak’s  procedure  takes  as  parameters,  a  solver  solve  and  canonizer  a  for 
a  theory  such  as  linear  arithmetic.  The  algorithm  verifies  a  sequent  T  b  a  =  b 
by  processing  the  equalities  in  T  to  build  a  solution  set  S  of  equalities  in  solved 
form,  or  to  return  _L  indicating  that  a  contradiction  was  found  in  T.  If  a  solution 
set  S  is  returned,  then  one  can  use  S  and  a  to  define  a  canonizer  can  such  that 
can(S)(f(e))  returns  a (f(can(S)(e)))  if  /  is  interpreted.  If  /  is  uninterpreted, 
can(S)(f(e))  returns  c!  for  some  c  equivalent  to  f(can(S)(e))  where  c  =  c'  is 
in  S.  The  conclusion  equality  a  =  b  can  be  tested  for  validity  by  checking  if 
can(S)(a)  =  can(S)(b).  The  operation  can(S)  is  also  used  for  preprocessing 
the  input  equalities  from  T.  The  preprocessed  input  equalities  are  solved  and 
the  solution  (if  any)  is  composed  with  the  existing  value  of  S.  The  solution 
set  S  is  maintained  in  congruence-closed  form  so  that  the  right-hand  sides  of 
congruent  left-hand  side  terms  are  merged  by  solving  the  equality  between  them 
and  merging  the  results  into  S. 

The  theory  of  linear  arithmetic  is  a  typical  example  of  a  canonizable  and 
solvable  theory.  A  canonizer  can  be  given  by  means  of  a  function  that  returns  an 
ordered  sum-of-products  representation  for  a  given  linear  polynomial  by  merging 
monomials  over  the  same  variable  into  a  single  monomial.  A  solver  can  be  given 
by  using  algebraic  manipulations  to  isolate  a  variable  on  the  left-hand  side.  The 
Shostak  procedure  of  Ruess  and  Shankar  [RS01]  can  be  illustrated  on  the  sequent 


f(x  -  1)  -  1  =  f(y)  +  1,  y-: r  +  1  =  0  b  false, 

where  +,  — ,  and  the  numerals  are  from  the  theory  of  linear  arithmetic,  false  is 
an  abbreviation  for  0  =  1,  and  /  is  an  uninterpreted  function  symbol.  Starting 
with  S'  =  0  in  the  base  case,  the  preprocessing  of  f(x  —  1)  —  1  =  f(y)  +  1  causes 
the  equality  to  be  placed  into  canonical  form  as  —  1  +  /(— 1  +  x)  =  1  +  f(y). 
The  solution  set  S  is  initialized  to  contain  reflexivity  statements  for  the  non- 
interpreted  subterms  in  the  canonicalized  input  equality  as  {x  =  x,  y  =  y ,  /(— 1  + 
x)  =  /(- 1  +  x),f(y)  =  f(y)}.  Solving  -1  +  /(- 1  +  x)  =  1  +  f(y)  yields 
/(-  1+x)  =  2  +  f(y),  and  S  is  set  to{x  =  x,y  =  y,f(-l+x)  =  2  +  f(y),f(y)  = 
f(y)}.  No  unmerged  congruences  are  detected  in  S.  Next,  y  —  x  +  1  =  0  is 
canonized  as  1  —  x  +  y  =  0,  and  solved  as  x  =  1  +  y.  This  solution  is  composed 
with  S  to  yield  {x  =  y  +  l,y  =  y,f(- 1  +  x)  =  2  +  f(y),f(y)  =  f(y)}-  The 
congruence  between  /(— 1  +  x)  and  f(y)  is  detected  since  the  canonical  form  of 
—  1  +  x  is  y  when  the  solution  for  x  is  inserted  and  the  result  is  canonized  by  a. 
The  procedure  then  tries  to  merge  the  respective  solutions  of  /(— 1  +  x)  and  f(y) 
by  solving  2  +  f(y)  =  f(y).  The  solver  returns  _L  so  that  the  original  sequent  is 
asserted  to  be  valid. 

As  a  second  example,  one  can  check  that  the  sequent  f(x  —  1)  —  1  =  f(y)  + 1  b 
g(f(x— 1)— 2)  =  g(f(y))  is  valid  by  computing  S  to  be  {x  =  x,  y  =  y,  /(— \+x)  = 
2  +  f(y)J(y)  =  f(y )},  and  verifying  can(S)(g(f(x  -  1)  -  2))  =  can(S)(g(f(y))). 
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3  Formalizing  Shostak’s  Algorithm  in  PVS 


A  brief  introduction  to  PVS  is  given  in  Appendix  A.  The  formalization  ex¬ 
ploits  several  advanced  features  of  the  PVS  language  including  recursive  data¬ 
types,  predicate  subtypes,  dependent  types,  Hilbert’s  choice  operator,  and  in¬ 
ductive  relations.  We  describe  the  formalization  in  sufficient  detail  so  that  it 
can  be  checked  for  conformity  with  the  informal  arguments  [RS01]  (abbreviated 
below  as  RS)  and  reproduced  using  some  other  automated  proof  checker.1 

Syntax.  Terms  are  built  from  a  given  signature  consisting  of  a  set  of  variables  X 
and  function  symbols  F.  A  term  is  either  a  variable  x  for  xGlor  of  the  form 
/(ai, . . . ,  an),  where  /  G  F.  A  term  of  the  form  /(ai, . . . ,  an)  is  interpreted  (re¬ 
spectively,  uninterpreted )  if  /  is  interpreted  (respectively,  uninterpreted).  Terms 
are  formalized  by  means  of  a  recursive  datatype  syntax  consisting  of  a  con¬ 
structor  v  for  variables  with  a  natural  number  index  field  index,  and  an  ap¬ 
plication  constructor  app  with  a  function  symbol  field  func  and  an  arguments 
field  args  which  is  formalized  as  a  dependent  type  [below(arity (func) )  -> 
syntax]  which  represents  an  array  of  syntax  in  the  arity  of  the  function  sym¬ 
bol  of  the  term.  The  type  below  (num)  for  a  natural  number  num  is  the  (possibly 
empty)  subrange  0, . . .  ,num  —  l.2  The  function  symbol  type  funsymbs  is  also 
a  datatype  consisting  of  constructors  ifn  and  ufn  for  interpreted  and  uninter¬ 
preted  function  symbols,  respectively,  each  with  an  index  field  and  an  arity 
field,  and  a  thry  (theory)  field  for  interpreted  function  symbols. 

funsymbs:  DATATYPE  P~ 

BEGIN 

IMPORTING  theories 

ifn(index:  nat,  arity:  nat,  thry:  TH) :  ifn? 
ufn(index:  nat,  arity:  nat):  ufn? 

END  funsymbs 

syntax:  DATATYPE 
BEGIN 

IMPORTING  funsymbs,  max_lemmas 
v( index:  nat):  v? 
app (func:  funsymbs, 

args:  [below(arity (func) )  ->  syntax]):  app? 

END  syntax 

Since  we  are  admitting  just  one  interpreted  theory,  we  fix  a  theory  th.  The 
predicate  thry_func  checks  that  its  argument  is  an  interpreted  function  symbol 

1  The  complete  PVS  2.4.1  dump  file  is  available  at  ftp://ftp.csl.sri.com/pub/ 
users/shankar/ shostak- verification-dump. 

2  An  application  could  also  be  formalized  in  terms  of  a  list  of  arguments  whose  length 
is  the  arity  of  the  function  symbol.  The  array-based  formalization  has  some  im¬ 
portant  advantages.  Terms  are  well-formed  by  construction  thus  avoiding  the  need 
for  cumbersome  proof  obligations.  Operations  on  terms  can  be  defined  by  a  simple 
structural  recursion  without  the  use  of  mutual  recursion  on  terms  and  lists  of  terms. 
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from  theory  th.  The  type  thry_func  is  the  predicate  subtype  corresponding  to 
the  predicate  thry_func. 


thry_func (f f : funsymbs) :  bool  = 

ifn? (ff )  AND  thry(ff)  =  th 

The  type  of  equalities  is  defined  as  a  record  type  with  fields  lhs  and  rhs. 
equality:  TYPE  =  [#  lhs ,  rhs :  syntax  #]  I  3 


The  variables  a,  b,  and  c  are  declared  to  range  over  terms,  aa,  bb,  and  cc  range 
over  equalities,  and  R,  S,  and  T  range  over  lists  of  equalities. 

The  set  of  variables  in  a  term  a  is  defined  using  datatype  recursion  as  vars  (a) . 
Sets  are  just  predicates  in  the  higher-order  logic  so  that  a  variable  x  is  in  the 
set  vars  (a)  iff  vars  (a)  (x)  holds.  The  set  vars  (a)  can  be  shown  to  be  finite 
by  structural  induction.  A  term  a  is  well-typed  in  n  for  a  natural  number  n,  if 
the  index  of  any  variable  in  a  is  below  n.  This  is  represented  by  the  predicate 
well_typed? (n)  (a)  and  the  corresponding  type  typed(n).  The  operation  of 
collecting  the  set  of  subterms  of  a  given  term  is  represented  by  subterm  (a). 
The  definitions  of  these  operations  are  omitted. 

Pure  Terms.  The  canonizer  and  solver  are  defined  for  pure  terms,  i.e.,  terms 
without  uninterpreted  function  symbols,  but  then  applied  to  arbitrary  terms  by 
treating  the  uninterpreted  subterms  as  variables.  We  formalize  pure  terms  by 
means  of  a  datatype  pure  that  has  two  classes  of  variables:  v(i)  for  the  ordi¬ 
nary  variables  indexed  by  i,  and  u(a)  corresponding  to  the  uninterpreted  term 
a.  Function  applications  for  pure  terms  are  typed  to  contain  only  interpreted 
function  symbols.  It  is  easy  to  define  an  operation  abs  that  converts  a  term  to 
the  corresponding  pure  term,  and  its  inverse  gamma. 

pure f C IMPORTING  theories)  th:  THl :  DATATYPE  WITH  SUBTYPES  var?.  func?  I  4 
BEGIN 

IMPORTING  syntax_ops [th] 
v( index:  nat) :  v?  :  var? 
u(a:  uninterpreted):  u?  war? 
app(func:  thry_func, 

args :  [below(arity (func) )  ->  pure]):  app?  :  func? 

END  pure 


Semantics.  The  semantics  for  a  term  a  is  given  by  M[a]p  for  an  interpretation 
M  over  a  domain  D  such  that  M(/)  yields  a  mapping  from  Dn  to  D  for  function 
symbol  /  of  arity  n,  and  an  assignment  p  mapping  variables  to  values  in  D.  For 
variables,  M\x\p  =  p(x),  and  M\f(a1, . . . ,  an)\p  =  M{f){M\a1\p, . . . ,  M{anjp). 
We  say  that  M,  p  |=  a  =  b  iff  M[a]p  =  M[6]p,  and  M  J=  a  =  b  iff  M,  p  |=  a  =  b 
for  all  assignments  p  over  vars  (a  =  b).  An  equality  is  valid  if  for  all  D,M: 
M  \=  a  =  b. 

The  concept  of  a  valid  equality  requires  quantification  over  all  domains  D  and 
interpretations  M  over  D.  In  PVS,  such  a  domain  would  have  to  be  introduced 
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as  the  type  parameter  of  a  theory.  Since  PVS  does  not  admit  quantification  over 
types,  the  domain  must  be  given  as  a  subset  or  a  subtype  of  a  fixed  type.  We 
take  this  fixed  type  to  be  the  set  of  all  terms.3  This  type  can  be  informally  shown 
to  be  adequate  for  representating  any  domain  set  D  for  the  purposes  of  equality. 
The  assignment  p  is  formalized  as  a  mapping  from  the  set  of  all  variables  to  the 
domain  D. 

In  the  semantics  for  pure  terms,  the  domain  type  D  is  the  type  of  pure  terms 
and  a  model  is  a  dependent  record  type  consisting  of  a  domain  field  mdom  that 
is  a  subset  of  D,  and  a  function  interpretation  field  f  that  is  a  dependent  type 
mapping  a  function  ff  and  an  array  of  argument  valuations  to  a  valuation  for 
the  application.  The  type  arity(ff)  is  an  abbreviation  for  below (arity (ff) ) . 


D:  TYPE+  =  pure 


model:  TYPE  =  [#  mdom  :  setof  [D] , 

f:  [ff:  thry_func  -> 

[ [arity (ff)  ->  (mdom)]  ->  (mdom)]]  #] 


Solutions.  The  “state”  of  the  algorithm  is  maintained  in  a  solution  set  S  that  is 
just  a  list  of  equalities  of  a  special  form.  The  operation  apply  (S)  (a)  (informally, 
S(a))  is  defined  recursively  to  look  up  the  solution  for  a  (if  any)  in  S.4 


apply  (S)  (a):  RECURSIVE  syntax  =  [jL 

CASES  S  OF 
null:  a, 

cons(aa,  R) :  IF  lhs(aa)  =  a 
THEN  rhs(aa) 

ELSE  apply (R) (a) 

END  IF 

ENDCASES 

MEASURE  length (S) 

The  operation  replace_vars  (S)  (d)  (informally,  S[d])  returns  the  result  of  re¬ 
placing  all  occurrences  of  any  left-hand  side  variable  from  S  in  a  pure  term 
d,  by  the  corresponding  right-hand  side.  The  replace _vars  operation  is  ex¬ 
tended  from  pure  terms  to  arbitrary  terms  as  replace_solvables.  The  oper¬ 
ation  subst  (rho)  (d)  (used  in  |~7j)  is  similar  to  replace_vars (S)  (d)  but  rho 
here  is  a  substitution  mapping  variables  to  terms. 

Canonizers.  A  canonizer  a  for  pure  terms  from  a  theory  r  is  a  parameter  to 
the  combination  decision  procedure.  A  valid  canonizer  is  required  to  verify  va¬ 
lidities,  i.e.,  |=r  a  =  b  implies  a  (a)  =  <j(b),  and  additionally  preserve  variables, 
cr(x)  =  x  and  vars(a(a ))  C  vars(a ),  be  idempotent,  a  (a  (a))  =  a  (a),  and  leave 

3  The  type  of  closed  terms,  when  nonempty,  is  also  a  valid  candidate  for  the  domain. 

4  The  termination  of  the  recursive  definition  is  justified  by  the  measure  length (S) 
which  causes  the  typechecker  to  generate  proof  obligations  verifying  that  the  measure 
decreases  with  each  recursive  call. 
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subterms  canonical,  a(b)  =  b  for  any  subterm  b  of  a  (a).  These  conditions  on  a 
valid  canonizer  are  captured  by  the  predicate  canonizer? (sigma) .  The  validity 
condition  is  awkward  since  it  uses  an  oracle  |=r  for  r- validity.  We  found  a  way 
to  replace  this  condition  by  the  sufficient  pair  of  conditions  on  cr: 

1.  cr-substitutivity:  a(p[a\)  =  cr(p[cr(a)]),  for  any  substitution  p,  and 

2.  cr-distributivity:  a(f  (a(a1), . . . ,  a(an )))  =  <r(f(alt . . . ,  an)). 

canonical? (sigma)  (a)  is  defined  to  hold  when  sigma(a)  =  a. 

canonizer? (sigma) :  bool  =  I  7 

(  (FORALL  d,  rho:  sigma(subst (rho) (d) )  =  sigma(subst (rho) (sigma(d) ) ) ) 
AND  (FORALL  d:  app?(d)  IMPLIES 

sigma(app(func(d) ,  LAMBDA  (i : arity (func(d) ) ) :  sigma(args (d) (i) ) ) ) 
=  sigma(d)) 

AND  (FORALL  u  :  sigma (u)  =  u) 

AND  (FORALL  d,  u:  vars (sigma(d) ) (u)  IMPLIES  vars(d)(u)) 

AND  (FORALL  d  :  sigma(sigma(d) )  =  sigma(d)) 

AND  (FORALL  d,  f:  sigma(d)  =  f  IMPLIES 

(FORALL  (i : arity (func(f) )) :  canonical? (sigma) (args (f) (i) ))) ) 

The  adaptation  of  the  canonizer  from  pure  terms  to  terms  is  done  through  gamma 
and  abs.  The  canonizer  for  arbitrary  terms,  sig(a)  (used  in  9  and  10  ),  is 
defined  as  gamma  (sigma  (abs  (a) ) ) ,  where  sigma  is  the  given  canonizer  for  pure 
terms.  Model  M  is  a  cr-model  if  M  |=  a  (a)  =  a  for  all  a,  and  a  =  b  is  cr- 
unsatisfiable  (formalized  as  the  PVS  predicate  unsat isfiable)  if  M,  p  \f=  a  =  b 
for  all  M  and  p. 

Solver.  A  solver  solve  is  another  parameter  to  the  algorithm.  A  valid  solver 
must  be  such  that  solve(a  =  b)  either  returns  _L  when  a  =  b  is  cr-unsatisfiable, 
or  returns  a  (possibly  empty)  list  S  of  n  equalities  of  the  form  X{  =  U  for 
1  <  i  <  n,  where  Xi  G  vars  (a  =  b)  Xi  ^  Xj  for  i  ^  j,  Xi  0  vars(tj ),  ti  is  canonical 
(cr(ti)  =  ^),  for  1  <  x,y  <  n,  and  a  =  b  and  S  are  cr-equivalent:  for  all  cr-models 
M  and  assignments  p  over  the  variables  in  a  and  6,  M,  p  |=  a  =  b  iff  there  is  an 
assignment  p'  extending  p,  over  the  variables  in  S',  a,  and  6,  such  that  M,  p'  \=  S. 

The  notion  of  a  solution  for  pure  term  equalities  is  formalized  as  the  pred¬ 
icate  solve  (n,  dd,  S)  for  an  index  n,  an  equality  dd,  and  a  solution  list  S. 
The  predicate  checks  that  dd  is  satisfiable,  the  solution  list  of  equalities  S  is 
a  well- formed  solution  that  is  cr-equivalent  (formalized  as  the  PVS  predicate 
sig_equivalent?)  to  dd.  Any  variables  in  S  not  in  dd  must  be  of  index  above  n. 
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A  pure  term  solver  is  easily  extended  to  one  that  works  on  terms.  A  given 
solver  solv  is  typed  so  that  solv(m,  dd)  returns  a  dependent  record  r  with 
fields  n  and  s,  where  r‘n  is  an  index  that  is  at  least  m  and  r‘s  is  either  bottom 
or  of  the  form  up(S)  for  a  solution  list  of  equalities  S  that  is  well-typed  in  r‘n. 

Canonical  Forms.  The  operation  norm(S)(a )  (represented  as  norm(S)  (a))  for 
a  canonizer  sig,  is  informally  defined  as  cr(S[a\).  The  definition  of  norm  is  used  to 
show  that  if  solve  (m,  aa,  S)  holds,  then  norm (S)  (lhs  (aa)  )  =  norm(S)  (rhs  (aa)  )  , 
and  to  define  the  composition  of  two  equality  lists  R  and  S  as  R  o  S. 

norm(S) (a) :  syntax  =  sig(replace_solvables (S) (a) )  I  9 

o (R,  S):  RECURSIVE  eqlist  = 

CASES  R  OF 
null:  S, 

cons(aa,  T) :  cons (eq(lhs (aa)  ,  norm (S) (rhs (aa) ))  ,  T  o  S) 

ENDCASES 

MEASURE  length (R) 

Since  composition  is  defined  recursively,  its  definition  includes  a  termination 
measure  length  (R)  that  is  used  to  generate  termination  proof  obligations.  The 
definitions  above  are  used  to  prove  the  associativity  of  composition  and  the 
claim:  norm (R  o  S) (a)  =  norm(S) (norm(R) (a) ) . 

The  operation  lookup  (S)  (a)  is  defined  so  that  if  a  is  a  variable,  then  it  re¬ 
turns  apply  (S)  (a)  which  is  the  formalization  of  S(a).  When  a  is  an  application, 
then  lookup  is  defined  to  scan  S  till  it  finds  an  equality  whose  left-hand  side  is 
of  the  form  /(at, . . . ,  an),  where  f(norm(S)(ai), . . . ,  norm(S)(an ))  =  a.5 

The  canonizer  can(S)  (a)  is  then  defined  in  terms  of  the  lookup  operation. 

can(S)  (a)  :  RECURSIVE  syntax  =  {W 

CASES  a  OF 
v(i) :  apply (S) (a) , 
app(ff,  args) : 

IF  intheory? (a)  THEN 

sig(app(ff,  LAMBDA  (i : arity (ff ) ) :  can(S) (args (i) ) ) ) 

ELSE 

lookup (S) (app(ff ,  LAMBDA  (i : arity (ff) ) :  can(S) (args (i) ) ) ) 

END  IF 
ENDCASES 

MEASURE  rank (a) 


S 

Congruence.  Congruence  with  respect  to  a  solution  set  5,  /(cq, . . . ,  an)  ^ 
/(&i,...,  6n),  is  defined  to  hold  exactly  when  norm(S)(ai)  =  norm(S)(bi)  for 
1  <  i  <  n.  This  is  captured  formally  by  the  predicate  congruent  (S)  (a,  b). 

5  This  definition  of  lookup  is  slightly  different  from  that  of  RS  which  uses  S(a,i) 
instead  of  norm(S)(ai).  The  RS  definition  requires  keeping  dom(S)  subterm-closed, 
whereas  we  only  require  closure  under  the  uninterpreted  subterms.  Our  definition  is 
executable  in  contrast  to  the  RS  definition  which  uses  Hilbert’s  epsilon  operator. 
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congruent (S) (a,  b) :  bool  = 
app?(a)  AND 
app? (b)  AND 
func(a)  =  func(b)  AND 
(FORALL  (i : arity (func(a) ) ) : 

norm(S) (args(a) (i) )  =  norm(S) (args (b) (i) ) ) 

A  solution  set  is  congruence- closed  when  the  right-hand  sides  corresponding  to 
any  pair  of  congruent  left-hand  sides  are  identical. 

congruence_closed(S) :  bool  = 

(FORALL  (a,b : (dom(S) ) ) :  congruent (S) (a,  b)  IMPLIES 

apply (S) (a)  =  apply (S)(b)) 

U! 

The  solution  set  that  forms  the  “state”  of  the  algorithm  is  typed  to  satisfy 
the  invariants  given  by  the  predicate  invariants  (S) .  These  invariants  assert 
that  the  left-hand  sides  of  equalities  in  the  solution  set  S  must  be  variables  or 
uninterpreted  terms,  the  uninterpreted  subterms  of  any  equality  S  must  in  the 
domain  of  S,  and  any  right-hand  side  term  must  be  canonical,  and  S(a)  and 
norm(S)(a )  must  coincide  for  any  a  G  dom(S ),  among  other  conditions.  The 
predicate  invariant  (S)  is  used  to  define  a  type  above_t invariants  (n)  which 
ensures  that  the  state  is  a  record  r  consisting  of  an  index  r f  n  and  a  solution  set 
r‘s  which  is  either  bottom  or  up(S),  where  S  is  well-typed  in  r(n  and  satisfies 
invariants (S) . 


The  Main  Procedure.  The  congruence  closure  operation  cc  (r)  successively  merges 
the  right-hand  sides  corresponding  to  chosen  congruent  pairs  of  left-hand  side 
terms  in  the  solution  set  rfs.  The  operation  merge  (m,  aa,  S)  (used  in  13 
and  14  )  computes  solv(m,  aa)  as  a  record  r,  returning  bottom  if  r‘s  is 
bottom,  and  the  record  (#  n  :=  rcn,  s  :=  S  o  down(rc  s)#) ,  otherwise,  where 
down  (up  (R))  is  R.  The  return  type  of  cc  ensures  that  cc(r)  es  is  bottom  when 
r  ‘  s  is  bottom  and  the  cc(r) f s  satisfies  the  invariants  spelled  out  above  when  it 
is  different  from  bottom.  The  termination  of  cc,  a  significant  step  in  the  proof,  is 
established  by  showing  that  the  number  of  equivalence  classes  of  uninterpreted 
terms  in  the  domain  of  r c  s  decreases  with  each  recursive  call.  The  invariants  on 
the  solution  set  play  a  crucial  role  in  proving  termination. 


cc(r):  RECURSIVE  {s  :  above_t invariants (r f n)  |  bottom? (r ‘ s)  1 13 

IMPLIES  bottom? (s‘s)}  = 

CASES  r's  OF 
bottom:  tbottom, 

up(T)  :  IF  (NOT  congruence_closed(T) ) 

THEN  cc (merge (r fn,  apply (T) (choose (congruent_pair?(T) )) ,  T)) 
ELSE  r 
END  IF 

ENDCASES 

MEASURE  cc_rank(r) 


The  assert (r,  aa)  operation  places  aa  in  canonical  form  as  aa’ ,  then  expands 
r‘s  (if  r‘s  is  up(T))  with  dummy  identities  for  the  new  subterms  in  aa’  as 
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expand  (T,  aa’ ) .  It  then  merges  aa;  into  this  expanded  solution  set  and  applies 
congruence-closure  cc  to  the  result. 

assert ( (r : {r : tinvariants  |  up?(r‘s)  IMPLIES  1 14 

congruence_closed(down(r f s) )}) , 

(aa: typed_equality (r fn) ) ) : 

{s:above_t invariants (rfn)  |  up?(s‘s)  IMPLIES 

congruence_closed(down(s f s) ) }  = 

CASES  r's  OF 

bottom:  tbottom, 

up(T) :  cc(merge(r fn,  can(T) (aa) ,  expand(T,  can(T) (aa) ) ) ) 

ENDCASES 

Finally,  process (m,  S)  returns  a  record  consisting  of  a  number  n  and  a  well- 
typed  solution  in  n  which  may  be  bottom.  The  type  of  process  (m,  S)  ensures 
that  any  solution  returned  is  congruence-closed. 

process (m,  (S : typed_eqlist (m) ) ) :  RECURSIVE  I  15 

{r : above_t invariants (m)  |  up?(rfs)  IMPLIES 

congruence_closed(down(r c s) ) }  = 

CASES  S  OF 

null  :  (#  n  :=  m,  s  :=  up(null)#) , 

cons(aa,  T) :  IF  up? (process (m,  T)fs) 

THEN  assert (process (m,  T)  ,  aa) 

ELSE  tbottom 
END  IF 

ENDCASES 

MEASURE  length (S) 

The  type  and  termination  proof  obligations  generated  by  the  PVS  typechecker 
corresponding  to  the  subtype  constraints  and  measures  given  with  the  definitions 
of  process,  cc,  and  other  related  definitions,  ensure  the  well-typedness  and 
termination  of  process. 


4  Verifying  Shostak’s  Algorithm  in  PVS 

The  algorithm  verifies  a  sequent  T  b  a  =  b  by  computing  S  =  process  (T). 
The  sequent  is  considered  valid  if  either  S  =  1  or  can(S)(a )  =  can(S)(b).  For 
the  soundness  of  the  procedure  is  established  relative  to  a  proof  system  whose 
inference  rules  characterize  when  a  sequent  T  b  a  =  b  is  derivable.  We  prove 
that  the  following  are  equivalent: 

1.  If  process(T)  =  then  S'  =  1  or  can(S)(a )  =  can(S)(b). 

2.  T  b  a  =  b  is  derivable. 

3.  T  b  a  =  b  is  a- valid,  i.e.,  valid  in  all  cr-models. 

The  implication  from  (1)  to  (2)  is  the  soundness  argument.  The  implication 
from  (2)  to  (3)  validates  the  soundness  of  the  proof  system  with  respect  to 
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cr-models.  The  implication  from  (3)  to  (1)  establishes  the  completeness  of  the 
decision  procedure. 

For  verifying  soundness,  we  first  formally  define  the  class  of  provable  sequent s 
by  means  of  an  inductive  definition  of  a  predicate  has_proof  ?(m,  T,  aa)  for 
an  index  m,  a  list  of  equalities  T,  and  an  equality  aa. 


has.proof ? (m, 

(T : typed.eqlist (m) ) , 

(aa: typed.equality (m) ) ) :  INDUCTIVE  bool  = 

member (aa,  T)  OR  > 

{  Axiom 

lhs(aa)  =  rhs(aa)  OR  > 

{  Reflexivity 

has.proof ? (m,  T,  eq(rhs(aa),  lhs(aa)))  OR  ° 

{  Symmetry 

(EXISTS  (a:  typed (m) )  :  °> 

has.proof ? (m,  T,  eq(lhs(aa),  a))  AND 
has.proof ? (m,  T,  eq(a,  rhs(aa))))  OR 

{  Transitivity 

(LET  a  =  lhs(aa),  b  =  rhs(aa)  IN  J 

app? (a)  AND  app?(b)  AND 
func(a)  =  func(b)  AND 
(FORALL  (i : arity (func (a) ) ) : 
has.proof ? (m,  T,  eq(args (a) (i) ,  args (b) (i) ) ) ) )  OR 

{  Congruency 

(rhs(aa)  =  sig(lhs (aa) ) )  OR  ° 

{  Canonization 

(EXISTS  (bb : typed.equality (m) ) ,  ) 

(n:upfrom(m) ) ,  (S : typed.eqlist (n) ) : 
solve (m,  bb,  S)  AND 
has.proof ? (m,  T,  bb)  AND 
has.proof ? (n,  append(T,  S) ,  aa) )  OR 

{  Solve 

(EXISTS  (bb : typed.equality (m) ) :  ° 

unsatisf iable (bb)  AND 
has.proof ? (m,  T,  bb)) 

{  Contradiction 

The  proof  soundness  theorem  below  captures  the  implication  from  (2)  to 
(3)  above.  It  asserts  that  any  provable  sequent  is  cr-valid  since  the  variable  M 
is  declared  to  range  over  cr-models.  It  can  be  proved  by  the  induction  scheme 
generated  by  the  inductive  definition  of  has_proof  ?. 


proof .soundness :  LEMMA  I  17 

(FORALL  m,  (T : typed.eqlist (m) ) ,  (aa: typed.equality (m) ) : 
has.proof ? (m,  T,  aa)  IMPLIES 

(FORALL  M,  (rho : assign (M) ) :  satisfies (M,  rho)(T,  aa) ) ) 


The  following  two  theorems  correspond  to  the  implication  between  (1)  and  (2) 
above.  These  theorems  capture  the  respective  cases  of  soundness  when  process  (m, 
S)  returns  a  valid  solution  or  a  bottom  value. 


s  oundne  s  s  _ 1 :  THEOREM 

L is. 

(FORALL  m,  (S : typed.eqlist (m) ) , 

(a,  b:typed(m)): 

up? (process (m,  S)fs)  AND 

can (down (process (m,  S)fs))(a) 

=  can (down (process (m,  S)‘s))(b) 

IMPLIES  has.proof ? (m,  S,  eq(a. 

b))) 
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soundness_2 :  THEOREM  HE 

(FORALL  m,  (S : typed_eqlist (m) ) ,  (aa: typed_equality (m) ) : 
bottom? (process (m,  S)fs)  IMPLIES 
has_proof ? (m,  S,  aa) ) 

Completeness  is  proved  by  constructing  a  canonical  cr-model  Mr  and  assign¬ 
ment  pR ,  where  R  =  process  (T)  ^  _L.  The  bulk  of  the  proof  involves  showing 
that  this  construction  does  in  fact  yield  a  cr-model  satisfying  the  equalities  in 
T.  A  crucial  property  for  demonstrating  this  is  confluence  which  asserts  that 
can(S)  (a)  =  norm(S)  (a)  when  S  is  congruence-closed  and  the  uninterpreted 
terms  of  a  are  included  in  dom(S). 


confluence:  LEMMA 

|  20 

in var i ant  s ( S )  AND 

congruence_closed(S)  AND 

subset? (U (subterm (a) ) ,  dom(S))  IMPLIES 

can(S) (a)  =  norm(S) (a) 

Completeness  is  then  proved  as  the  theorem  below  which  formalizes  the  im¬ 
plication  from  (2)  to  (1)  above,  but  it  is  verified  via  proof  soundness  and  (3). 
The  theorem  states  that  when  the  sequent  S  b  a  =  b  is  derivable,  then  either 
process(S)  =  1  or  process(S)  =  T  and  can(T)(a)  =  can(T)(b). 

completeness :  LEMMA  I  21 

(FORALL  m,  (S : typed_eqlist (m) ) ,  T,  (aa: typed_equality (m) ) : 
up? (process (m,  S)‘s)  AND 
down (process (m,  S)‘s)  =  T  AND 
has_proof ? (m,  S,  aa)  IMPLIES 

can(T) (lhs (aa) )  =  can(T) (rhs (aa) ) ) 


5  Concluding  Observations 

Both  the  formalization  and  the  verification  closely  follow  the  informal  presen¬ 
tation  RS  [RS01].  There  were  some  areas  where  RS  was  found  to  be  inadequate 
or  incorrect  and  where  PVS  itself  was  deficient.6 

RS  is  terse  about  the  introduction  of  fresh  variables  by  the  solve  operation. 
These  variables  must  be  fresh  with  respect  to  the  entire  execution  of  the  al¬ 
gorithm  or  the  construction  of  a  proof.  Proof  transformations  like  weakening 
and  cut  require  the  variables  generated  by  solve  to  be  invariant  with  respect 
to  a  certain  kind  of  renaming.7  The  bookkeeping  involved  in  tracking  the  well- 
formedness  of  terms  and  equalities  up  to  a  given  index,  occupy  a  substantial 

6  One  minor  problem  was  already  noticed  prior  to  this  verification  attempt.  Several 
of  the  lemmas  in  the  informal  proof  regarding  the  composition  of  solutions  were 
qualified  with  the  condition  that  RUS  be  functional,  where  the  appropriate  condition 
is  that  R  o  S  must  be  functional.  This  was  immaterial  for  the  verification  since  the 
definition  of  composition  is  in  terms  of  lists  and  not  sets. 

7  A  similar  renaming  problem  arises  with  alpha-renaming  in  the  lambda-calculus  and 
eigenvariables  in  sequent  proofs,  but  the  renaming  issue  is  far  more  complicated 
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fraction  of  the  effort  in  both  the  formalization  and  proof.  PVS  has  a  judgement 
mechanism  that  records  certain  typing  relations  for  use  in  the  typechecker,  but 
we  were  unable  to  use  it  for  demonstrating  that  an  expression  well-typed  in  n  is 
also  well- typed  in  any  index  above  n. 

Quantification  over  types,  needed  to  define  semantic  validity,  is  not  expressible 
in  PVS.  We  instead  restricted  the  semantic  domains  to  subtypes  of  the  type  of 
terms  since  any  model  for  terms  and  equalities  is  essentially  characterized  by  a 
partition  of  the  term  universe  into  equivalence  classes. 

A  monotonicity  lemma  is  stated  in  the  informal  proof  (Lemma  3.12)  as:  If 
R  U  S  is  functional,  then  if  R(a)  =  R(b),  then  ( R  o  S)(a)  =  (R  o  S)(b),  for  any 
a  and  b.  In  addition  to  the  above-mentioned  correction  to  the  antecedent,  this 
lemma  only  holds  when  a  and  b  are  in  dom(R).  Fortunately,  only  the  weak  form 
of  this  lemma  is  actually  used. 

In  the  RS  proof  of  Lemma  5.11,  it  is  claimed  that  it  can  also  be  shown  that 
can(S,Jr)(a)  =  can  (S')  (a),  and  similarly  for  b.  This  claim  asserts  that  padding 
the  solution  set  S'  with  reflexivity  equalities  on  the  subterms  from  can(S')(a ), 
does  not  affect  the  value  of  can(S')(a).  The  claim  is  in  fact  valid,  but  the  proof 
is  not  all  that  obvious. 

Despite  the  flaws  identified  above,  the  RS  proofs  held  up  quite  well  to  the 
rigors  of  formal  scrutiny.  We  were  actually  operating  from  a  draft  document 
that  contained  proofs  of  lemmas  that  were  given  without  proof  in  the  published 
version.  Once  the  formalization  challenges  were  overcome,  it  was  possible  to  make 
steady  progress  in  the  mechanical  verification  of  the  proofs.  The  procedure  as 
we  have  defined  it  is  not  executable  since  it  uses  a  choice  operator.  Further  work 
is  needed  to  derive  efficiently  executable  versions  of  the  verified  algorithm  while 
preserving  its  correctness. 

The  formalization  and  proof  occupied  four  months  of  work  with  PVS  carried 
out  entirely  by  the  first  author.8  The  proof  involves  68  theories,  120  definitions, 
192  TCCs  (typing  and  termination  proof  obligations),  594  lemmas,  and  the  proof 
checking  time  is  2,265  seconds  on  a  1- Gigahertz  Pentium  3.  There  are  roughly 
6,200  tokens  in  the  detailed  informal  presentation  as  measured  by  a  word  count 
of  the  text  file  generated  from  the  LaTeX  input.  There  are  approximately  13,000 
tokens  in  the  PVS  specification,  and  over  25,000  tokens  in  the  PVS  proofs.  The 
proof  is  highly  interactive.  We  are  currently  working  on  improving  the  degree  of 
mechanization  in  various  ways.  The  level  of  effort  indicates  that  the  certification 
of  complex  decision  procedures  remains  a  tough  challenge. 
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A  Introduction  to  PVS 


We  give  a  very  brief  introduction  to  the  PVS  language  and  proof  checker. 
PVS  specifications  are  a  collection  of  theories.  A  theory  can  have  type  or  in¬ 
dividual  parameters  that  are  instantiated  when  the  theory  is  imported  within 
another  theory.  A  parameterized  theory  can  include  constraining  assumptions 
on  the  parameters.  The  instances  of  these  assumptions  corresponding  to  the  ac¬ 
tual  parameters  are  generated  as  proof  obligations  when  a  theory  instance  is 
imported. 

A  theory  is  a  list  of  declarations  of  types,  constants,  and  formulas.  The  expres¬ 
sion  language  of  PVS  is  based  on  simply  typed  higher-order  logic  extended  with 
predicate  subtypes,  dependent  types,  and  recursive  datatypes.  PVS  types  consist 
of  the  base  types  bool  and  real,  and  compound  types  constructed  as  tuples,  as 
in  [bool,  real],  records,  as  in  [#flag  :  bool,  length  :  real#],  or  function  types 
of  the  form  [A— >B\.  Predicates  over  a  type  A  are  of  type  [A— >bool]. 

Predicate  subtypes  are  a  distinctive  feature  of  the  PVS  higher-order  logic. 
Given  a  predicate  p  over  A ,  {x  :  A\p(x)}  (or,  (p))  is  a  predicate  subtype  of 
A  consisting  of  those  elements  of  A  satisfying  p.  The  type  nzreal  of  nonzero 
real  can  be  defined  as  {x  :  real  |  x  /=  0}.  The  type  nat  of  natural  numbers  is 
a  predicate  subtype  of  the  type  int  of  integers,  which  in  turn  is  a  subtype  of 
the  subtype  rat  (of  real)  of  rational  numbers.  Subranges  can  also  be  defined 
as  predicate  subtypes,  and  arrays  can  be  typed  as  functions  with  subranges  as 
domains,  e.g.,  [below(N)— »A].  The  PVS  typechecker  generates  proof  obligations 
(called  TCCs)  corresponding  to  predicate  subtype  constraints.  Out-of-bounds 
array  accesses  generate  unprovable  TCCs. 

Dependent  versions  of  tuple,  record,  and  function  types  can  be  constructed 
by  introducing  dependencies  between  different  components  of  the  type  through 
predicates.  Dependent  typing  can  be  used  to  define  a  finite  sequence  (of  arbitrary 
length)  as  a  dependent  record  consisting  of  a  length  and  an  array  of  the  given 
length  [#length  :  nat,  seq  :  [below(length)— »T]#]. 

PVS  expressions  include  variables  x,  constants  c,  applications  /(a),  and  ab¬ 
stractions  LAMBDA  (x  :  T)  :  a,  conditionals  IF  cq  THEN  a 2  ELSE  <23  ENDIF,  tuple  ex¬ 
pressions  (ai, . . . ,  an),  tuple  projections  a‘i,  record  expressions  (#/i  :=ai,  ...#), 
record  projections  acl ,  and  (tuple,  record,  and  function)  updates  e[a  :=  v]. 

The  definition  of  a  recursive  datatype  can  be  illustrated  with  the  list  type 
built  from  the  constructors  cons  and  null.  Theories  containing  the  relevant 
axioms,  induction  schemes,  and  useful  datatype  operations  are  generated  from 
the  datatype  declaration. 

list  [T:  TYPE]:  DATATYPE  P~ 

BEGIN 

null :  null? 

cons  (car:  T,  cdr : list) : cons? 

END  list 
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Abstract.  Ground  decision  procedures  for  combinations  of  theories  are 
used  in  many  systems  for  automated  deduction.  There  are  two  ba¬ 
sic  paradigms  for  combining  decision  procedures.  The  Nelson-Oppen 
method  combines  decision  procedures  for  disjoint  theories  by  exchanging 
equality  information  on  the  shared  variables.  In  Shostak’s  method,  the 
combination  of  the  theory  of  pure  equality  with  canonizable  and  solvable 
theories  is  decided  through  an  extension  of  congruence  closure  that  yields 
a  canonizer  for  the  combined  theory.  Shostak’s  original  presentation,  and 
others  that  followed  it,  contained  serious  errors  which  were  corrected  for 
the  basic  procedure  by  the  present  authors.  Shostak  also  claimed  that 
it  was  possible  to  combine  canonizers  and  solvers  for  disjoint  theories. 
This  claim  is  easily  verifiable  for  canonizers,  but  is  unsubstantiated  for 
the  case  of  solvers.  We  show  how  our  earlier  procedure  can  be  extended 
to  combine  multiple  disjoint  canonizable,  solvable  theories  within  the 
Shostak  framework. 


1  Introduction 

Consider  the  sequent 

2  *  car(x)  —  3  *  cdr(x)  =  f(cdr(x)) 
h  f(cons( 4  *  car(x)  —  2  *  f(cdr(x)),y))  =  f(cons( 6  *  cdr(x),y)). 

*  This  work  was  funded  by  NSF  Grant  CCR-0082560,  DARPA/AFRL  Contract 
F33615-00-C-3043,  and  NASA  Contract  NAS1-00079.  During  a  phone  conversation 
with  the  first  author  on  2nd  April  2001,  Rob  Shostak  suggested  that  the  problem  of 
combining  Shostak  solvers  could  be  solved  through  variable  abstraction.  His  sugges¬ 
tion  is  the  key  inspiration  for  the  combination  of  Shostak  theories  presented  here. 
We  thank  Clark  Barrett,  Sam  Owre,  and  Ashish  Tiwari  for  their  meticulous  reading 
of  earlier  drafts.  We  also  thank  Harald  Ganzinger  for  pointing  out  certain  limitations 
of  our  original  definition  of  solvability  with  respect  to  cr-models.  The  first  author  is 
grateful  to  the  program  committees  and  program  chairs  of  the  FME,  LICS,  and  RTA 
conferences  at  FLoC  2002  for  their  kind  invitation. 
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It  involves  symbols  from  three  different  theories.  The  symbol  /  is  uninterpreted, 
the  operations  *  and  —  are  from  the  theory  of  linear  arithmetic,  and  the  pairing 
and  projection  operations  cons ,  car,  and  cdr,  are  from  the  theory  of  lists.  There 
are  two  basic  methods  for  building  combined  decision  procedures  for  disjoint  the¬ 
ories,  i.e.,  theories  that  share  no  function  symbols.  Nelson  and  Oppen  [N079] 
gave  a  method  for  combining  decision  procedures  through  the  use  of  variable 
abstraction  for  replacing  subterms  with  variables,  and  the  exchange  of  equality 
information  on  the  shared  variables.  Thus,  with  respect  to  the  example  above, 
decision  procedures  for  pure  equality,  linear  arithmetic,  and  the  theory  of  lists 
can  be  composed  into  a  decision  procedure  for  the  combined  theory.  The  other 
combination  method,  due  to  Shostak,  yields  a  decision  procedure  for  the  com¬ 
bination  of  canonizable  and  solvable  theories,  based  on  the  congruence  closure 
procedure.  Shostak’s  original  algorithm  and  proof  were  seriously  flawed.  His  al¬ 
gorithm  is  neither  terminating  nor  complete  (even  when  terminating).  These 
flaws  went  unnoticed  for  a  long  time  even  though  the  method  was  widely  used, 
implemented,  and  studied  [CLS96,BDL96,Bj099].  In  earlier  work  [RS01],  we  de¬ 
scribed  a  correct  algorithm  for  the  basic  combination  of  a  single  canonizable, 
solvable  theory  with  the  theory  of  equality  over  uninterpreted  terms.  That  cor¬ 
rectness  proof  has  been  mechanically  verified  using  PVS  [FS02].  The  generality 
of  the  basic  combination  rests  on  Shostak’s  claim  that  it  is  possible  to  combine 
solvers  and  canonizers  from  disjoint  theories  into  a  single  canonizer  and  solver. 
This  claim  is  easily  verifiable  for  canonizers,  but  fails  for  the  case  of  solvers. 
In  this  paper,  we  extend  our  earlier  decision  procedure  to  the  combination  of 
uninterpreted  equality  with  multiple  canonizable,  solvable  theories.  The  decision 
procedure  does  not  require  the  combination  of  solvers.  We  present  proofs  for  the 
termination,  soundness,  and  completeness  of  our  procedure. 


2  Preliminaries 

We  introduce  some  of  the  basic  terminology  needed  to  understand  Shostak- 
style  decision  procedures.  Fixing  a  countable  set  of  variables  X  and  a  set  of 
function  symbols  F,  a  term  is  either  a  variable  x  from  X  or  an  n-ary  function 
symbol  /  from  F  applied  to  n  terms  as  in  /(ai, . . . ,  an).  Equations  between 
terms  are  represented  as  a  =  b.  Let  vars{a ),  vars(a  =  6),  and  vars(T )  represent 
the  sets  of  variables  in  a,  a  =  b ,  and  the  set  of  equalities  T,  respectively.  We  are 
interested  in  deciding  the  validity  of  sequents  of  the  form  T  \~  c  —  d  where  c  and 
d  are  terms,  and  T  is  a  set  of  equalities  such  that  vars{c  =  d)  C  vars(T).  The 
condition  vars(c  =  d)  C  vars{T)  is  there  for  technical  reasons.  It  can  always  be 
satisfied  by  padding  T  with  reflexivity  assertions  x  =  x  for  any  variables  x  in 
vars(c  =  d)  —  vars(T).  We  write  fa]  for  the  set  of  subterms  of  a,  which  includes 
a. 


The  semantics  for  a  term  a,  written  as  M[a]p,  is  given  relative  to  an  inter¬ 
pretation  M  over  a  domain  D  and  an  assignment  p.  For  an  n-ary  function  /, 
the  interpretation  M(f )  of  /  in  M  is  a  map  from  Dn  to  D.  For  an  uninterpreted 
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n-ary  function  symbol  /,  the  interpretation  M(f )  may  be  any  map  from  Dn  to 
D,  whereas  only  restricted  interpretations  might  be  suitable  for  an  interpreted 
function  symbol  like  the  arithmetic  +  operation.  An  assignment  p  is  a  map  from 
variables  in  X  to  values  in  D.  We  define  M[a]p  to  return  a  value  in  D  by  means 
of  the  following  equations. 


M{x\p  =  p{x) 

M{f{au . . . ,  an)jp  =  M(f)(M[ai]p, . . . ,  M[an]p) 

We  say  that  M,  p  |=  a  =  b  iff  M[a]p  =  M[6]p,  and  M  |=  a  =  b  iff  M,  p  |=  a  =  b 
for  all  assignments  p.  We  write  M,  p  |=  5  when  Va,  b:a  =  beS^M,  p  \=  a  =  b, 
and  M, p  |=  (T  b  a  =  6)  when  (M, p  |=  T)  =>  (M, p  |=  a  =  6).  A  sequent 
T  b  c  =  d  is  valid,  written  as  |=  (T  b  c  =  d),  when  M,  p  |=  (T  b  c  =  d),  for  all 
M  and  p. 

There  is  a  simple  pattern  underlying  the  class  of  decision  procedures  studied 
here.  Let  ip  be  the  state  of  the  decision  procedure  as  given  by  a  set  of  formulas.1 
Let  r  be  a  family  of  state  transformations  so  that  we  write  ip  — ^  ip1  if  ip1  is  the 
result  of  applying  a  transformation  in  r  to  -0,  where  varspp)  C  vars(i/j')  (variable 
preservation).  An  assignment  p'  is  said  to  extend  p  over  varspip1)  —  varspip) 
when  it  agrees  with  p  on  all  variables  except  those  in  varspp’)  —  varspip)  for 
varspip)  C  varspp’).  We  say  that  ip1  preserves  ip  if  varspip)  C  varspp’)  and 
for  all  interpretations  M  and  assignments  p ,  M,  p  |=  ip  holds  iff  there  exists  an 
assignment  p'  extending  p  such  that  M,  p'  |=  ip1 . 2  When  preservation  is  restricted 
to  a  limited  class  of  interpretations  i ,  we  say  that  ip1  /.-preserves  ip.  Note  that 
the  preserves  relation  is  transitive.  When  the  operation  r  is  deterministic,  r(ip) 
represents  the  result  of  the  transformation,  and  we  call  r  a  conservative  operation 
to  indicate  that  rpip)  preserves  pj  for  all  ip.  Correspondingly,  r  is  said  to  be  i- 
conservative  when  rpip)  /.-preserves  ip.  Let  rn  represent  the  n-fold  iteration  of 
r,  then  rn  is  a  conservative  operation.  The  composition  r 2  o  n  of  conservative 
operations  T\  and  72,  is  also  a  conservative  operation.  The  operation  r*(ip)  is 
defined  as  rl(ip)  for  the  least  i  such  that  rl+1(ip)  =  rlpip).  The  existence  of  such 
a  bound  i  must  be  demonstrated  for  the  termination  of  r*.  If  r  is  conservative, 
so  is  r*. 

If  r  is  a  conservative  operation,  it  is  sound  and  complete  in  the  sense  that 
for  a  formula  (p  with  vars(cp)  C  varspip ),  |=  (ip  b  (p)  iff  |=  (r(ip)  b  p).  This  is 
clear  since  r  is  a  conservative  operation  and  vars(p)  C  vars(ip). 

1  In  our  case,  the  state  is  actually  represented  by  a  list  whose  elements  are  sets  of 
equalities.  We  abuse  notation  by  viewing  such  a  state  as  the  set  of  equalities  corre¬ 
sponding  to  the  union  of  the  sets  of  equalities  contained  in  it. 

2  In  general,  one  could  allow  the  interpretation  M  to  be  extended  to  Mr  in  the  trans¬ 
formation  from  ip  to  ipr  to  allow  for  the  introduction  of  new  function  symbols,  e.g., 
skolem  functions.  This  abstract  design  pattern  then  also  covers  skolemization  in  ad¬ 
dition  to  methods  like  prenexing,  clausification,  resolution,  variable  abstraction,  and 
Knuth-Bendix  completion. 
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If  t*(t/>)  returns  a  state  ip1  such  that  |=  pip1  b  _L),  where  _L  is  an  unsatisfiable 
formula,  then  ip1  and  pj  are  both  clearly  unsatisfiable.  Otherwise,  if  ip1  is  canon¬ 
ical ,  as  explained  below,  |=  pip’  b  (p)  can  be  decided  by  computing  a  canonical 
form  tp'lp]  for  <p  with  respect  to  ip1 . 


3  Congruence  Closure 


In  this  section,  we  present  a  warm-up  exercise  for  deciding  equality  over  terms 
where  all  function  symbols  are  uninterpreted,  i.e.,  the  interpretation  of  these 
operations  is  unconstrained.  This  means  that  a  sequent  T  b  c  =  d  is  valid,  i.e., 
|=  (T  b  c  =  d)  iff  for  all  interpretations  M  and  assignments  p,  the  satisfaction 
relation  M,  p  |=  (T  b  c  =  d)  holds.  Whenever  we  write  /(ai, . . . ,  an),  the  function 
symbol  /  is  uninterpreted,  and  /(ai, . . .  ,an)  is  then  said  to  be  uninterpreted. 
Later  on,  we  will  extend  the  procedure  to  allow  interpreted  function  symbols 
from  disjoint  Shostak  theories  such  as  linear  arithmetic  and  lists.  The  congruence 
closure  procedure  sets  up  the  template  for  the  extended  procedure  in  Section  5. 

The  congruence  closure  decision  procedure  for  pure  equality  has  been  studied 
by  Kozen  [Koz77],  Shostak  [Sho78],  Nelson  and  Oppen  [NO80],  Downey,  Sethi, 
and  Tarjan  [DST80],  and,  more  recently,  by  Kapur  [Kap97].  We  present  the 
congruence  closure  algorithm  in  a  Shostak-style,  i.e.,  as  an  online  algorithm 
for  computing  and  using  canonical  forms  by  successively  processing  the  input 
equations  from  the  set  T.  For  ease  of  presentation,  we  make  use  of  variable 
abstraction  in  the  style  of  the  abstract  congruence  closure  technique  due  to 
Bachmair,  Tiwari,  and  Vigneron  [BTV02].  Terms  of  the  form  /(ai, . . .  ,an)  are 
variable-abstracted  into  the  form  f{x i, . . .  ,xn)  where  the  variables  aq, . . .  ,xn 
abstract  the  terms  ai,...,an,  respectively.  The  procedure  shown  here  can  be 
seen  as  a  specific  strategy  for  applying  the  abstract  congruence  closure  rules.  In 
Section  5,  we  make  essential  use  of  variable  abstraction  in  the  Nelson-Oppen 
style  where  it  is  not  merely  a  presentation  device. 

Let  T  =  {ai  =  b\ , . . . ,  an  =  bn}  for  n  >  0  so  that  T  is  empty  when  n  =  0.  Let 
x  and  y  be  metavariables  that  range  over  variables.  The  state  of  the  algorithm 
consists  of  a  solution  state  S  and  the  input  equalities  T.  The  solution  state  S 
will  be  maintained  as  the  pair  (Sv',Su),  where  (Zi ;  I2] . . . ;  ln)  represents  a  list 
with  n  elements  and  semi-colon  is  an  associative  separator  for  list  elements. 
The  set  Sjj  then  contains  equalities  of  the  form  x  =  /(aq, . . .  ,xn)  for  an  n-ary 
uninterpreted  function  /,  and  the  set  Sy  contains  equalities  of  the  form  x  =  y 
between  variables.  We  blur  the  distinction  between  the  equality  a  =  b  and  the 
singleton  set  {a  =  b}.  Syntactic  identity  is  written  as  a  =  b  as  opposed  to 
semantic  equality  a  =  b. 

A  set  of  equalities  R  is  functional  if  b  =  c  whenever  a  =  b  E  R  and  a  =  c  E  R, 
for  any  a,  b ,  and  c.  If  R  is  functional,  it  can  be  used  as  a  lookup  table  for 
obtaining  the  right-hand  side  entry  corresponding  to  a  left-hand  side  expression. 
Thus  R{a)  =  b  if  a  =  b  E  R,  and  otherwise,  R{a)  =  a.  The  domain  of  R ,  dom(R) 
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is  defined  as  {a  \  a  =  b  E  R  for  some  6}.  When  i?  is  not  necessarily  functional, 
we  use  i?({a})  to  represent  the  set  {b  \  a  =  b  E  R  V  b  =  a}  which  is  the  image  of 
{a}  with  respect  to  the  reflexive  closure  of  R.  The  inverse  of  R ,  written  as  i2_1, 
is  the  set  {b  =  a  \  a  =  b  e  R}.  A  functional  set  of  equalities  can  be  applied  as 
in  R[a\. 


R[x]  =  R(x) 

R[f(au. . .  ,an)]  =  R(f(R[a1], . .  .,R[an])) 

R[{ai  =bu...,an  =  bn }]  =  {R[a  i]  =  R[bi\, . . . ,R[an ]  =  B[6n]} 

In  typical  usage,  R  will  be  a  solution  set  where  the  left-hand  sides  are  all  vari¬ 
ables,  so  that  R[a\  is  just  the  result  of  applying  R  as  a  substitution  to  a. 

When  Sy  is  functional,  then  S  given  by  (Sy;  Su)  can  also  be  used  to  compute 
the  canonical  form  S[a]  of  a  term  a  with  respect  to  S.  Hilbert’s  epsilon  operator 
is  used  in  the  form  of  the  when  operator:  F(x)  when  x  :  P(x)  is  an  abbreviation 
for  F(ex  :  P(x)),  if  3x  :  P(x). 

5[x]  =  Sv(x) 

S[f(a  i, . .  .,a„)]  =  Sv{x),  when  x  :  x  =  /(S[ai], . . .,%«])  ^  Su 
5[/(ai, . . .  ,an)]  =  /(S[ai], . . .  ,5[an]),  otherwise. 

The  set  Sy  of  variable  equalities  will  be  maintained  so  that  vars(Sy)  U 
vars(Su)  =  dom(Sy).  The  set  Sy  partitions  the  variables  in  dom(Sy)  into 
equivalence  classes.  Two  variables  x  and  y  are  said  to  be  in  the  same  equivalence 
class  with  respect  to  Sy  if  Sy(x)  =  Sy(y).  If  R  and  R'  are  solution  sets  and  R' 
is  functional,  then  R  >  R'  =  {a  =  R'[b\  \  a  =  b  e  R},  and  R  o  R'  =  R'  U  (R  >  R'). 
The  set  Sy  is  maintained  in  idempotent  form  so  that  Sy  o  Sy  =  Sy.  Note  that 
Su  need  not  be  functional  since  it  can,  for  example,  simultaneously  contain  the 
equations  x  =  f(y),  x  =  f(z ),  and  x  =  g(y). 

We  assume  a  strict  total  ordering  x  -<  y  on  variables.  The  operation 
orient(x  =  y)  returns  {x  =  y}  if  x  -<  y ,  and  returns  {y  =  x},  otherwise. 
The  solution  state  S  is  said  to  be  congruence- closed  if  St/({x})  H  Su({y})  —  0 
whenever  Sy(x)  ^  Sy(y).  A  solution  set  S  is  canonical  if  S  is  congruence-closed, 
Sy  is  functional  and  idempotent,  and  Su  is  normalized,  i.e.,  Su  >  Sy  =  Su- 

In  order  to  determine  if  |=  (T  b  c  =  d),  we  check  if  S"[c]  =  5'[d]  for  5'  = 
process(S;T ),  where  5  =  ( Sy;Su ),  SV  =  idr?  idr  =  {x  =  x  \  x  e  vars(T )}, 
and  Su  =  0.  The  congruence  closure  procedure  process  is  defined  in  Figure  1. 

Explanation.  We  explain  the  congruence  closure  procedure  using  the  valid¬ 
ity  of  the  sequent  /(/(/(x)))  =  x,  x  =  /(/(x))  h  /(x)  =  x  as  an  exam¬ 
ple.  Its  validity  will  be  verified  by  constructing  a  solution  state  S'  equal  to 
process(Sv;Su;T)  for  T  =  {/(/(/(a:)))  =  x,x  =  f(f(x))},  Sv  =  idT,  Su  =  0, 
and  checking  S'[/(x)]  =  S'[x].  Note  that  idr  is  {x  =  x}.  In  processing 
/(/(/(x)))  =  x  with  respect  to  S,  the  canonization  step,  S[/(/(/(x)))  =  x] 
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process  (S';  0) 
process  (S;  {a  =  b}  U  T) 


close(S) 

close(S) 

merge{S ;  x  =  x) 
merge{S ;  x  =  y) 

abstract  (S;  x  =  y) 
abstract  (S;  a  =  b) 


=  S 

=  process  (S'  ;T),  where, 

S'7  =  close*  (merge (abstract*  (S;  S[a  =  &]))). 

=  merge(S ;  Sv(x)  =  Sv(y)), 

when  £,£/  :  Sy(x)  ^  Sy(?/),  (St/({x})  D  Su({2/})  /  0) 

=  S',  otherwise. 

=  S 

=  (Sy ;  Sy),  where  x  ^  y,  R  =  orient (x  =  y), 

S'v  =  Sv  o  fl,  S^  =  St/  >  i*. 

=  (S;  x  =  y) 

=  (S7;  a  =  £/),  when  S',  a',  b' ,  xi, . . . ,  xn  : 

/(xi, . . .  ,aJn)  G  [a  =  6] 
x  0  vars(S ;  a  =  b) 

R=  {X  =  f(xi,...,Xn)}, 

S'  =  (SV  U{x  =  x};  SyUtf), 
a '  =  R-^alb'  =  iT1^]. 

Fig.  1.  Congruence  closure 


yields  f(f(f(x)))  =  x,  unchanged.  Next,  the  variable  abstraction  step  com¬ 
putes  abstract* (f (f (f (x)))  =  x).  First  f(x)  is  abstracted  to  v\  yielding  the 
state  {x  =  x,i?i  =  =  /(x)};  {/(/(xi))  =  x}.  Variable  abstraction 

eventually  terminates  renaming  f(v i)  to  v 2  and  f(v 2)  to  x3  so  that  S  is 
{x  =  x,xi  =  xi,x2  =  x2,x3  =  x3};{xi  =  /(x),x2  =  /(xi),x3  =  /(x2)}.  The 
variable  abstracted  input  equality  is  then  x3  =  x.  Let  orient  (i?3  =  x)  return 
x3  =  x.  Next,  merge(S;v3  =  x)  yields  the  solution  state  {x  =  x,i?i  =  i?i,x2  = 
x2,x3  =  x};{xi  =  f(x),v2  =  / (v\ ) , x3  =  /(x2)}.  The  congruence  closure  step 
close*  (S)  leaves  S  unchanged  since  there  are  no  variables  that  are  merged  in  Su 
and  not  in  Sy. 

The  next  input  equality  x  =  f(f(x))  is  canonized  as  x  =  x2  which  can  be 
oriented  as  v2  =  x  and  merged  with  S  to  yield  the  new  value  {x  =  x,  v\  — 
Vi,v2  =  x,  v3  =  x } ;  {v\  =  f(x),v2  =  f(v i),x3  =  /(x)}  for  5.  The  congruence 
closure  step  close*  (S)  now  detects  that  i?i  and  x3  are  merged  in  Su  but  not  in 
Sy  and  generates  the  equality  v\  —  v3 .  This  equality  is  merged  to  yield  the  new 
value  of  S  as  {x  =  x,  v\  —  x,  v2  —  x,  x3  =  x};  {v\  =  /(x),  x2  =  /(x),  x3  =  /(x)}, 
which  is  congruence-closed. 

With  respect  to  this  final  value  of  the  solution  state  S,  it  can  be  checked  that 

Slf(x)j  =  x  =  5  [a:]. 
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Invariants.  The  Shostak-style  congruence  closure  algorithm  makes  heavy  use 
of  canonical  forms  and  this  requires  some  key  invariants  to  be  preserved  on  the 
solution  state  S.  If  vars(Sy)\Jvars(Su )  C  dom(Sy ),  then  vars(S'v)Uvars(S'u )  C 
dom(Sy ),  when  S'  is  either  abstract  (S;  a  =  b)  or  close(S).  If  S  is  canonical  and 
a1  =  5 [a],  then  Sy[a']  =  a'.  If  Su  >  Sy  =  Su,  Sy[a]  =  a,  and  Sy[6]  =  b,  then 
>  Sy  =  where  5';  a1  =  b'  is  abstract (S;  a  =  b).  Similarly,  if  Su  >  Sy  =  Su, 
Sy(x)  =  x,  Sy(y)  =  y ,  then  Sy  o  S'v  =  Sy  for  5'  =  merge(S;x  =  2/).  If  Sy  is 
functional  and  idempotent,  then  so  is  Sy,  where  S'  is  either  of  abstract  (S;  a  = 
6)  or  close(S).  If  S'  =  close* (S),  then  S'  is  congruence-closed,  and  if  Sy  is 
functional  and  idempotent,  St/  is  normalized,  then  S'  is  canonical. 

Variations.  In  the  merge  operation,  if  S[j  is  computed  as  i2[St/]  instead  of 
Su  >  i2,  this  would  preserve  the  invariant  that  Sff1  is  always  functional  and 
Sy  [St/]  =  St/.  If  this  is  the  case,  the  canonizer  can  be  simplified  to  just  return 
Su1(f(S[a1],...,S[an])). 

Termination.  The  procedure  process  (S;  T )  terminates  after  each  equality  in 
T  has  been  asserted  into  S.  The  operation  abstract*  terminates  because  each 
recursive  call  decreases  the  number  of  occurrences  of  function  applications  in  the 
given  equality  a  =  b  by  at  least  one.  The  operation  close*  terminates  because 
each  invocation  of  the  merge  operation  merges  two  distinct  equivalence  classes  of 
variables  in  Sy .  The  process  operation  terminates  because  the  number  of  input 
equations  in  T  decreases  with  each  recursive  call.  Therefore  the  computation  of 
process (S;  T )  terminates  returning  a  canonical  solution  set  S'. 

Soundness  and  Completeness.  We  need  to  show  that  |=  (T  b  c  =  d) 

S'[c]  =  S'Jd]  for  S'  =  process [idr]  0;  T)  and  vars(c  =  d)  C  vars{T).  We 
do  this  by  showing  that  S'  preserves  (idr]  0;  T),  and  hence  |=  (T  b  c  =  d)  <(=> 
|=  (S'  b  c  =  d),  and  |=  (S'  h  c  =  d)  S'[c]  =  S'[d].  We  can  easily  establish 

that  if  process (S;  T)  =  S',  then  S'  preserves  (S;  T).  If  a1  =  b'  is  obtained  from 
a  =  b  by  applying  equality  replacements  from  S,  then  (S;  a'  =  6')  preserves 
(S;  a  =  6).  In  particular,  |=  (S  b  S[c]  =  c)  holds.  The  following  claims  can  then 
be  easily  verified. 

1.  (S;  S[a  =  b})  preserves  (S;  a  =  6). 

2.  abstract (S;  a  =  b)  preserves  (S;  a  =  b). 

3.  merge(S ;  a  =  b)  preserves  (S;  a  =  b). 

4.  close(S)  preserves  S. 

The  only  remaining  step  is  to  show  that  if  S'  is  canonical,  then  |=  (S'  h  c  — 
d )  <(=>  S'[c]  =  S'[d]  for  vars(c  =  d)  C  vars(S).  Since  we  know  that  |=  S'  b 
S'[c ]  =  c  and  |=  S'  b  S'[d]  =  d,  hence  |=  (S'  b  c  =  d)  follows  from  S'[c ]  =  S'[d]. 
For  the  only  if  direction,  we  show  that  if  S'[c]  ^  S'[d],  then  there  is  an  inter¬ 
pretation  Ms>  and  assignment  ps>  such  that  Ms> ,  ps1  \—  S  but  Mg> ,  ps1'  ^  c  =  d. 
A  canonical  term  (in  S’)  is  a  term  a  such  that  S' [a]  =  a.  The  domain  Ds>  is 
taken  to  be  the  set  of  canonical  terms  built  from  the  function  symbols  F  and 
variables  from  vars(S').  We  constrain  Ms>  so  that  Ms'(f)(ai, . . .  ,an)  =  Sy(x) 
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when  there  is  an  x  such  that  x  =  /(ai, . . . ,  an)  G  S[/,  and  /(ai, . . . ,  an),  other¬ 
wise.  Let  p#/  map  x  in  vars(S')  to  Sy{x );  the  mappings  for  the  variables  outside 
vars{S’)  are  irrelevant.  It  is  easy  to  see  that  Ms>\c\ps>  =  S"[c]  by  induction  on 
the  structure  of  c.  In  particular,  when  S'  is  canonical,  Ms'(f)(xi  . . .  ,  xn)  =  x 
for  x  =  f(xi,...,xn)  G  SL,  so  that  one  can  easily  verify  that  MsaPs1  \—  S'. 
Hence,  if  S'[c]  ^  S'[d],  then  ^  (S'  h  c  =  d). 


4  Shostak  Theories 

A  Shostak  theory  [Sho84]  is  a  theory  that  is  canonizable  and  solvable.  We  assume 
a  collection  of  Shostak  theories  0i, . . . , 0/v-  In  this  section,  we  give  a  decision  pro¬ 
cedure  for  a  single  Shostak  theory  0^,  but  with  i  as  a  parameter.  This  background 
material  is  adapted  from  Shankar  [ShaOl] .  Satisfiability  M,  p  |=  a  =  b  is  with 
respect  to  i-models  M.  The  equality  a  =  b  is  i-valid,  i.e.,  |=i  a  =  6,  if  for  all  i- 
models  M  and  assignments  p,  M[a]p  =  M[6]p.  Similarly,  a  =  b  is  i-unsatisfiable, 
i.e.,  |=i  a  ^  b,  when  for  all  i-models  M  and  assignments  p,  M[a]p  7^  M[6]p.  An 
i-term  a  is  a  term  whose  function  symbols  all  belong  to  6{  and  vars(a)  C  XU X{. 

A  canonizable  theory  6{  admits  a  computable  operation  cr^  on  terms  such 
that  |  =i  a  =  b  iff  cq(a )  =  cr^(6),  for  i-terms  a  and  b.  An  i-term  a  is  canonical  if 
c 7i(a )  =  a.  Additionally,  vars(ai(a ))  C  vars(a)  and  every  subterm  of  cq(a)  must 
be  canonical.  For  example,  a  canonizer  for  the  theory  6a  of  linear  arithmetic  can 
be  defined  to  convert  expressions  into  an  ordered  sum-of-monomials  form.  Then, 
(ta(v  +  £  +  x)  =2  *  x  +  p  =  cfa{x  +  y  +  x). 

A  solvable  theory  admits  a  procedure  solve i  on  equalities  such  that 
solvei(Y)(a  =  b)  for  a  set  of  variables  Y  with  vars(a  =  b)  C  Y,  returns  a 
solved  form  for  a  =  b  as  explained  below.  solvei(Y)(a  =  b)  might  contain  fresh 
variables  that  do  not  appear  in  F.  A  functional  solution  set  R  is  in  i- solved 
form  if  it  is  of  the  form  {x\  =  £1, . . .  ,xn  =  £n},  where  for  j,  1  <  j  <  n,  £j  is 
a  canonical  i-term,  =  £j,  and  varsftj)  D  dom(R)  =  0  unless  £j  =  Xj.  The 

i-solved  form  solvei(Y)(a  =  b)  is  either  _U,  when  |  =i  a  ^  b,  or  is  a  solution  set 
of  equalities  which  is  the  union  of  sets  R\  and  R2 .  The  set  R\  is  the  solved  form 
{x\  =  £1, . . . ,  xn  =  £n}  with  Xj  G  vars{a  =  6)  for  1  <  j  <  n,  and  for  any  i-model 
M  and  assignment  p,  we  have  that  M,  p  |=  a  =  b  iff  there  is  a  p'  extending  p 
over  vars(solvei(Y)(a  =  b))  —  Y  such  that  M, p'  |=  Xj  =  £j,  for  1  <  j  <  n.  The 
set  R2  is  just  {x  =  x  |  x  G  varsf^ith)  —  F}  and  is  included  in  order  to  preserve 
variables.  In  other  words,  solvei(Y)(a  =  b)  i- preserves  a  =  b.  For  example,  a 
solver  for  linear  arithmetic  can  be  constructed  to  isolate  a  variable  on  one  side 
of  the  equality  through  scaling  and  cancellation.  We  assume  that  the  fresh  vari¬ 
ables  generated  by  solvei  are  from  the  set  A^.  We  take  vars(J-i)  to  be  X  U  Xi 
so  as  to  maintain  variable  preservation,  and  indeed  _U  could  be  represented  as 
just  T  were  it  not  for  this  condition. 

We  now  describe  a  decision  procedure  for  sequents  of  the  form  T  b  c  =  d  in  a 
single  Shostak  theory  with  canonizer  ai  and  solver  solvei.  Here  the  solution  state 
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S  is  just  a  functional  solution  set  of  equalities  in  i-solved  form.  Given  a  solution 
set  S,  we  define  S((a))i  as  0^(5  [a]).  The  composition  of  solutions  sets  is  defined 
so  that  S  oi  ±i  =  ±i  oi  S  =  _L i  and  S  oi  R  =  R  (J  {a  =  R((b))i  \  a  =  b  E  S}.  Note 
that  solved  forms  are  idempotent  with  respect  to  composition  so  that  =  S. 

The  solved  form  solveclosei(idT ;  T)  is  obtained  by  processing  the  equations  in 
T  to  build  up  a  solution  set  S.  An  equation  a  =  b  is  first  canonized  with  respect 
to  S  as  S((a))i  =  S((b))i  and  then  solved  to  yield  the  solution  R.  If  R  is  _U,  then 
T  is  i-unsatisfiable  and  we  return  the  solution  state  with  Si  =  _U  as  the  result. 
Otherwise,  the  composition  S  R  is  computed  and  used  to  similarly  process  the 
remaining  formulas  in  T. 

solveclosei(S ;  0)  =  S 
solveclosei(±i ;  T)  =  _U 

solveclosei(S ;  {a  =  6}  U  T)  =  solvedosei(S' ,  T), 

where  S"  =  S'  oi  solvei(vars(S))(S {{a))i  =  S((b))i) 

To  check  i-validity,  |=i  (T  b  c  =  d),  it  is  sufficient  to  check  that  either 
solvedose^idr ;  T)  =  1  or  S' ((c)) i  =  S' ((d))  i,  where  5'  =  solvedose^idr ;  T). 

Soundness  and  Completeness.  As  with  the  congruence  closure  procedure,  each 
step  in  solvedosei  is  i-conservative.  Hence  solvedosei  is  sound  and  complete:  if 
S"  =  solvedosei(S ;  T),  then  for  every  i-model  M  and  assignment  p,  M,  p  |=  SUT 
iff  there  is  a  p'  extending  p  over  the  variables  in  vars(S')  —  vars(S)  such  that 
M,  p'  |=  S".  If  cr^S7 [a])  =  cq(S"[&]),  then  M,  p'  |=  a  =  S" [a]  =  cr^S'fa])  = 
cri (S" [6])  =  5' [6]  =  b ,  and  hence  M,  p  |=  a  =  6.  Otherwise,  when  0-^(5' [a])  ^ 
0i(5'[6]),  we  know  by  the  condition  on  cq  that  there  is  an  i-model  M  and  an 
assignment  p'  such  that  M[5'[a]]p'  7^  M[S'/[6]]p/.  The  solved  form  5'  divides 
the  variables  into  independent  variables  x  such  that  S'(x)  =  x,  and  dependent 
variables  y  where  y  7^  £"(p)  and  the  variables  in  vars(S'(y))  are  all  independent. 
We  can  therefore  extend  p'  to  an  assignment  p  where  the  dependent  variables  y 
are  mapped  to  M[S' (y)\p' .  Clearly,  M, p  |=  S',  M, p  |=  a  =  5' [a],  and  M, p  |= 
b  =  S"  [6].  Since  5'  i-preserves  T),  M,  p  |=  T  but  M,  p  |^=  a  =  b  and 

hence  T  b  a  =  b  is  not  i-valid,  so  the  procedure  is  complete.  The  correctness 
argument  is  thus  similar  to  that  of  Section  3  but  for  the  case  of  a  single  Shostak 
theory  considered  here,  there  is  no  need  to  construct  a  canonical  term  model 
since  |  =i  a  =  0^(0),  and  <Ji(a)  =  <Ji(b)  iff  |  =i  a  =  b. 

Canonical  term  model.  The  situation  is  different  when  we  wish  to  combine 
Shostak  theories.  It  is  important  to  resolve  potential  semantic  incompatibilities 
between  two  Shostak  theories.  With  respect  to  some  fixed  notion  of  i- validity 
for  Oi  and  j- validity  for  Oj  with  i  7 ^  j,  a  formula  A  in  the  union  of  Oi  and  Oj 
may  be  satisfiable  in  an  i-interpretation  of  only  a  specific  finite  cardinality  for 
which  there  might  be  no  corresponding  satisfying  j-interpretation  for  the  for¬ 
mula.  Such  an  incompatibility  can  arise  even  when  a  theory  Oi  is  extended  with 
uninterpreted  function  symbols.  For  example,  if  (j)  is  a  formula  with  variables  x 
and  y  that  is  satisfiable  only  in  a  two-element  model  M  where  p(x)  7^  p(y),  then 
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the  set  of  formulas  r  where  r  =  {<j>,f(x)  =  x,f(u)  =  y,f(y)  =  x}  additionally 
requires  p{x)  ^  p(u)  and  p(y)  ^  p(u).  Hence,  a  model  for  r  must  have  at  least 
three  elements,  so  that  r  is  unsatisfiable.  However,  there  is  no  way  to  detect 
this  kind  of  unsatisfiability  purely  through  the  use  of  solving  and  canonization. 

We  introduce  a  canonical  term  model  as  a  way  around  such  semantic  incom¬ 
patibilities.  The  set  of  canonical  i-terms  a  such  that  cq(a)  =  a  yields  a  domain 
for  a  term  model  Mi  where  M*(/)(ai, . . .  ,an)  =  cq(/(ai, . . .  ,an)).  If  Mi  is  (iso¬ 
morphic  to)  an  z-model,  then  we  say  that  the  theory  Oi  is  composable.  Note  that 
the  solve  operation  is  conservative  with  respect  to  the  model  Mi  as  well,  since 
Mi  is  taken  as  an  2-model. 

Given  the  usual  interpretation  of  disjunction,  a  notion  of  validity  is  said  to 
be  convex  when  |=  (I  h  q  =  d\  V  . . .  V  cn  =  dn)  implies  |=  (T  b  Ck  =  dk)  for 
some  k,  1  <  k  <  n.  If  a  theory  Oi  is  composable,  then  i-validity  is  convex.  Recall 
that  |  —i  (T  h  ci  =  d\  V  . . .  V  cn  —  dn)  iff  |=i  (S  h  c\  —  d\  V  . . .  V  cn  —  dn)  for  S  = 
solveclosei(idT',T).  If  S  =  _U,  then  |=^  (T  h  q  =  dk),  for  1  <  k  <  n.  If  S  ^  _U, 
then  since  S  i- preserves  T,  |=^  (S  h  c\  —  d\  V. .  .Vcn  =  dn ),  but  (by  assumption) 

(S  \~  Ck  =  dk)-  An  assignment  ps  can  be  constructed  so  that  for  independent 
(  i.e. ,  where  S(x)  =  x)  variables  x  E  vars(S ),  ps(x)  =  x,  and  for  dependent 
variables  y  E  vars(S),  ps(y)  =  Mi[S(y)}ps-  If  for  S  ^  |^.  (S  b  ck  =  dk), 

then  Mi,ps  |=  5  and  Mi,ps  y=  Ck  =  Hence  Mi,ps  y=  (S  h  Ck  =  dk ),  for 
1  <  k  <  n.  This  yields  Mi,  ps  y=  (T  h  q  =  di  V  . . .  V  cn  =  dn),  contradicting  the 
assumption. 


5  Combining  Shostak  Theories 

We  now  examine  the  combination  of  the  theory  of  equality  over  uninterpreted 
function  symbols  with  several  disjoint  Shostak  theories.  Examples  of  interpreted 
operations  from  Shostak  theories  include  +  and  —  from  the  theory  of  linear  arith¬ 
metic,  select  and  update  from  the  theory  of  arrays,  and  cons ,  car ,  and  cdr  from 
the  theory  of  lists.  The  basic  Shostak  combination  algorithm  covers  the  union  of 
equality  over  uninterpreted  function  symbols  and  a  single  canonizable  and  solv¬ 
able  equational  theory  [Sho84,CLS96,RS01].  Shostak  [Sho84]  had  claimed  that 
the  basic  combination  algorithm  was  sufficient  because  canonizers  and  solvers 
for  disjoint  theories  could  be  combined  into  a  single  canonizer  and  solver  for 
their  union.  This  claim  is  incorrect.3  We  present  a  combined  decision  procedure 
for  multiple  Shostak  theories  that  overcomes  the  difficulty  of  combining  solvers. 

Two  theories  0\  and  62  are  said  to  be  disjoint  if  they  have  no  function  symbols 
in  common.  A  typical  subgoal  in  a  proof  can  involve  interpreted  symbols  from 
several  theories.  Let  Oi  be  the  canonizer  for  Oi.  A  term  /(oq, . . .  ,an)  is  said  to 
be  in  Oi  if  /  is  in  Oi  even  though  some  might  contain  function  symbols  outside 
Oi.  In  processing  terms  from  the  union  of  pairwise  disjoint  theories  0i, . . .  ,0/v, 

3  The  difficulty  with  combining  Shostak  solvers  was  observed  by  Jeremy  Levitt  [Lev99]. 
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it  is  quite  easy  to  combine  the  canonizers  so  that  each  theory  treats  terms  in 
the  other  theory  as  variables.  Since  cq  is  only  applicable  to  i-terms,  we  first 
have  to  extend  the  canonizer  to  treat  terms  in  Oj  for  j  ^  i,  as  variables.  Let 
7 Ti  be  a  chosen  bijective  set  of  equalities  between  the  variables  X  and  the  set 
{a\(3j  :  j  ^  i  A  a  E  Oj)}.  We  treat  uninterpreted  function  symbols  as  belonging 
to  a  special  theory  #0  where  cr0(a)  =  a  for  a  E  Oq.  The  extended  operation  is 
defined  below. 


cq(a)  =  7 Ti[ai(a')\J  when  a1  :  a1  is  an  i-term, 

7r;[a']  =  a. 

Note  that  the  when  condition  in  the  above  definition  can  always  be  satisfied. 
The  combined  canonizer  a  can  then  be  defined  as 

a{x)  =  x 

cr(/(ai, . . .  ,a„))  =  . .  ,,a(an))),  when  i  :  /  is  in  0*. 

This  canonizer  is,  however,  not  used  in  the  remainder  of  the  paper. 

We  now  discuss  the  difficulty  of  combining  the  solvers  solve i  and  solve 2  for 
61  and  #2,  respectively,  into  a  single  solver.  The  example  uses  the  theory  Oa 
of  linear  arithmetic  and  the  theory  ^  of  the  pairing  and  projection  operations 
cons ,  car ,  cdr ,  where,  somewhat  nonsensically,  the  projection  operations  also 
apply  to  numerical  expressions.  Shostak  illustrated  the  combination  using  the 
example 

5  +  car(x  +  2)  =  cdr{x  +  1)  +  3. 

Since  the  top-level  operation  on  the  left-hand  side  is  +,  we  can  treat  car(x  +  2) 
and  cdr{x  +  1)  as  variables  and  use  solve  a-  This  might  yield  a  partially  solved 
equation  of  the  form  car(x  +  2)  =  cdr(x  +  1)  —  2.  Now  since  the  top-level 
operation  on  the  left-hand  side  is  from  the  theory  of  lists,  we  use  solve l  to 
obtain  x  +  2  =  cons  (cdr  (x  +  1)  —  2 ,u)  with  a  fresh  variable  u.  We  once  again 
apply  solve  a  to  obtain  x  =  cons(cdr(x  +  1)  —  2  ,u)  —  2.  This  is,  however,  not  in 
solved  form:  the  left-hand  side  variable  occurs  in  an  interpreted  context  in  its 
solution.  There  is  no  way  to  prevent  this  from  happening  as  long  as  each  solver 
treats  terms  from  another  theory  as  variables.  Therefore  the  union  of  Shostak 
theories  is  not  necessarily  a  Shostak  theory. 

The  problem  of  combining  disjoint  Shostak  theories  actually  has  a  very  simple 
solution.  There  is  no  need  to  combine  solvers.  Since  the  theories  are  disjoint,  the 
canonizer  can  tolerate  multiple  solutions  for  the  same  variable  as  long  as  there 
is  at  most  one  solution  from  any  individual  theory.  This  can  be  illustrated  on 
the  same  example:  5  +  car(x  +  2)  =  cdr(x  +  1)  +  3.  By  variable  abstraction,  we 
obtain  the  equation  vs  =  vq,  where  v\  —  x  +  2,^2  =  ear (i?i),i?3  =  V2  +  5, 174  = 
x  +  1,^5  =  cdr (u4),U6  =  U5  +  3.  We  can  separate  these  equations  out  into  the 
respective  theories  so  that  S  is  (SV;  Su]  Sl ),  where  Sy  contains  the  variable 
equalities  in  canonical  form,  Su  is  as  in  congruence  closure  but  is  always  0  since 
there  are  no  uninterpreted  operations  in  this  example,  and  Sa  and  Sl  are  the 
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solution  sets  for  9a  and  Ol  ,  respectively.  We  then  get  Sy  =  {x  =  x,  v\  —  v\,  v2  — 
V2,V3  =  ^6,^4  =  X4,X5  =  ^5,^6  =  ^e},  SA  =  {v 1  =  X  +  2,  X3  =  X2  +  5,  X4  = 
x  +  1,^6  =  X5  +  3},  and  Sl  =  {^2  =  car(v i),i?5  =  c/r(x4)}.  Since  x3  and  ^6  are 
merged  in  Sy,  but  not  in  5a,  we  solve  the  equality  between  5a  (x3)  and  5a(^6), 
i.e. ,  solve a(v 2  +  5  =  X5  +  3)  to  get  v2  =  v$  —  2.  This  result  is  composed  with 
5^  to  get  {v±  =  x  +  2,  x3  =  x5  +  3,  x4  =  x  +  1,  x6  =  x5  +  3,  v2  =  x5  -  2}  for  5a- 
There  are  no  new  variable  equalities  to  be  propagated  out  of  either  5a,  Sl,  or 
Sy .  Notice  that  v2  and  X5  both  have  different  solved  forms  in  5a  and  Sl-  This 
is  tolerated  since  the  solutions  are  from  disjoint  theories  and  the  canonizer  can 
pick  a  solution  that  is  appropriate  to  the  context.  For  example,  when  canonizing 
a  term  of  the  form  /(x)  for  /  E  0*,  it  is  clear  that  the  only  relevant  solution  for 
x  is  the  one  from  5*. 

We  can  now  check  whether  the  resulting  solution  state  verifies  the  original 
equation  5  +  car(x  +  2)  =  cdr(x  +  1)  +  3.  In  canonizing  f(a\, . . . ,  an)  we  return 
Sy(y)  whenever  the  term  /(5i(5[aiJ), . . . ,  5*(5[an]))  being  canonized  is  such 
that  y  =  /(5i(5[aiJ), . . . ,  5*(5[an]))  E  Si  for  /  E  0*.  Thus  x  +  2  canonizes  to  v\ 
using  5a,  and  car(v  1)  canonizes  to  v2  using  Sl-  The  resulting  term  5  +  ^2,  using 
the  solution  for  v2  from  5a,  simplifies  to  X5  +  3,  which  returns  the  canonical 
form  vq  by  using  5a-  On  the  right-hand  side,  x  +  1  is  equivalent  to  x4  in  5a, 
and  car(x4)  simplifies  to  X5  using  Sl  The  right-hand  side  therefore  simplifies  to 
X5  +3  which  is  canonized  to  vq  using  5a-  The  canonized  left-hand  and  right-hand 
sides  are  identical. 

We  present  a  formal  description  of  the  procedure  used  informally  in  the  above 
example.  We  show  how  process  from  Section  3  can  be  extended  to  combine  the 
union  of  disjoint  solvable,  canonizable,  composable  theories.  We  assume  that 
there  are  N  disjoint  theories  0i,...,  On-  Each  theory  9\  is  equipped  with  a 
canonizer  ai  and  solver  solvei  for  i-terms.  If  we  let  /  represent  the  interval 
[1,7V],  then  an  /-model  is  a  model  M  that  is  an  i-model  for  each  i  E  I.  We 
will  ensure  that  each  inference  step  is  conservative  with  respect  to  /-models,  i.e., 
/-conservative.  We  represent  the  uninterpreted  part  of  5  as  So  instead  of  Su- 
The  solution  state  5  of  the  algorithm  now  consists  of  a  list  of  sets  of  equations 
(Sy;  So;  Si;  ...;  Sn)-  Here  Sy  is  a  set  of  variable  equations  of  the  form 
x  =  y,  and  So  is  the  set  of  equations  of  the  form  x  =  f(x  1, . . .  ,xn)  where  /  is 
uninterpreted.  Each  Si  is  in  i-solved  form  and  is  the  solution  set  for  0^. 

Terms  now  contain  a  mixture  of  function  symbols  that  are  uninterpreted  or 
are  interpreted  in  one  of  the  theories  0^.  A  solution  state  5  is  confluent  if  for  all 
x,y  E  dom(Sy)  and  i,  0  <  i  <  N:  Sy(x)  =  Sy(y)  <(=>  5i({x})  D5i({^/})  7^  0. 
A  solution  state  5  is  canonical  if  it  is  confluent;  Sy  is  functional  and  idempotent, 
i.e.,  SyoSy  =  Sy;  the  uninterpreted  solution  set  So  is  normalized,  i.e.,  5o>5y  = 
So;  each  5*,  for  i  >  0,  is  functional,  idempotent,  i.e.,  Si  oi  Si  =  5*,  normalized 
i.e.,  Si  >  Sy  =  Si,  and  in  i-solved  form.  The  canonization  of  expressions  with 
respect  to  a  canonical  solution  set  5  is  defined  as  follows. 

Six]  =  Sv  Or) 
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abstract(S ;  x  =  y)  =  (S';  x  =  y), 
abstract (S;  a  =  b)  =  (S';  af  =bf), 

when  S' ,c,i  :  c  E  maa;([a  =  &]j), 
x  0  vars(S  U  a  =  6), 

Sy  =  Sy  U  {x  =  x}, 

S'  =  Si  U  {x  =  c}, 
s'  =SJ5  for  ,z/  j 
a'  =  S' [a], 
b'  =  S'H. 

Fig.  2.  Variable  abstraction  step  for  multiple  Shostak  theories 

5[/(ai, . . .  ,a„)]  =  Sv(x),  when  i,x  : 

i  >  0,f  G  9i,x  =  S{{f(a i, . . .  ,an)}}  G  St 

5[/(ai, . . .  ,a„)]  =  5{{/(ai, . . .  ,an)}},  otherwise. 

S{{f(ai, a„)}}  =  aKfiSiiSM, Si(S[an]))), 
if  /  G  6i,i  >  0 

S{{f(ai,...,an)}}  =  /(5[ai],...,5[a„]),  if  /  G  0o. 

Since  variables  are  used  to  communicate  between  the  different  theories,  the 
canonical  variable  x  in  Sy  is  returned  when  the  term  being  canonized  is  known 
to  be  equivalent  to  an  expression  a  such  that  y  =  a  in  Si,  where  x  =  Sy{y). 
The  definition  of  the  above  global  canonizer  is  one  of  the  key  contributions  of 
this  paper.  This  definition  can  be  applied  to  the  example  above  of  computing 
S[5  +  car(x  +  2)]. 

Variable  Abstraction.  The  variable  abstraction  procedure  abstract(S;a  =  b)  is 
shown  in  Figure  2.  If  a  is  an  i-term  such  that  a  0  X,  then  a  is  said  to  be  a 
pure  i-term.  Let  fa  =  b~\i  represent  the  set  of  subterms  of  a  =  b  that  are  pure 
i-terms.  A  maximal  0-term  is  one  of  the  form  f(x i, . . . ,  xn)  for  /  E  0o-  For  i  >  0, 
the  set  max(M )  of  maximal  terms  in  M  is  defined  to  be  {a  E  M\a  =  b  V  a  0 
[6],  for  any  &  G  M}.  In  a  single  variable  abstraction  step,  abstract(S ;  a  =  b) 
picks  a  maximal  pure  i-subterm  c  from  the  canonized  input  equality  a  =  6, 
and  replaces  it  with  a  fresh  variable  x  from  X  while  adding  x  =  c  to  Si.  By 
abstracting  a  maximal  pure  i-term,  we  ensure  that  Si  remains  in  i-solved  form. 

Explanation.  The  procedure  in  Figure  3  is  similar  to  that  of  Figure  1.  Equa¬ 
tions  from  the  input  set  T  are  processed  into  the  solution  state  S  of  the  form 
Sy ;  So; . . . ,  Sjy.  Initially,  S  must  be  canonical.  In  processing  the  input  equation 
a  =  b  into  5,  we  take  steps  to  systematically  restore  the  canonicity  of  S.  The 
first  step  is  to  compute  the  canonical  form  S{a  =  b}  of  a  =  b  with  respect  to  S. 
It  is  easy  to  see  that  (5;  S{a  =  b})  I- preserves  (S;a  =  b). 
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process  (5;  0)  =  S 

process  (S';  T)  =  S',  when  z  :  Si  =  _U 
process  (S;  {a  =  6}  U  T)  =  process  (S' ;  T),  where 

S'  =  close*  (merge v  (abstract*  (S;  S[a  =  6]))). 

close(S)  =  S,  when  z  :  Si  =  _U 
close(S)  =  S' ,  when  S',z,x,z/  : 

x,  y  G  dom(Sv ), 

(z  >  0,  Sv(x)  =  Sv(y),Si(x)  ^  Si (?/),  and 
S'  =  mergers ;  x  =  z/)) 
or 

(z  >  0,  Sv(x)  ^  Sv(2/),Si({aj})  DS;({z/})  /  0,  and 
S'  =  mergev(S ;  Sy(x)  =  Sv(y))) 

close(S)  =  normalize(S ),  otherwise. 

normalize (S)  =  (Sy;  So;  Si>Sy;  •••;  Sjv>Sy). 

merge^S;  x  =  y)  =  S' ,  where  z  >  0, 

S'  =  Si  0^  solvei(vars(Si))(Si(x)  =  S;(z/)), 

S'  =  Sj5  for  z  /  j, 

S'v  =  Sv. 

mergev(S ;  x  =  x)  =  S 

mergev(S ;  x  =  y)  =  (Sv  °  R]  So  >  i£;  Si ;  . . . ;  Sjv),  where  =  orient(x  =  y). 
Fig.  3.  Combining  Multiple  Shostak  Theories 


The  result  of  the  canonization  step  a'  =  b'  is  then  variable  abstracted  as 
abstract*  (a'  =  6')  (shown  in  Figure  2)  so  that  in  each  step,  a  maximal,  pure 
i-subterm  c  of  a'  =  b'  is  replaced  by  a  fresh  variable  x,  and  the  equality  x  =  c  is 
added  to  S*.  This  is  also  easily  seen  to  be  an  /-conservative  step.  The  equality 
x  —  y  resulting  from  the  variable  abstraction  of  a'  =  b 1  is  then  merged  into  Sy 
and  So-  This  can  destroy  confluence  since  there  may  be  variables  w  and  2  such 
that  w  and  2  are  merged  in  Sy  (i.e.,  Sy(w)  =  Sy(z))  that  are  unmerged  in 
some  Si  (i.e.,  5i({zc})  D  Si  ({2:})  =  0),  or  vice-versa.4  The  number  of  variables 
in  dom(Sy)  remains  fixed  during  the  computation  of  close* (S).  Confluence  is 
restored  by  close*  (S)  which  finds  a  pair  of  variables  that  are  merged  in  some  Si 
but  not  in  Sy ,  and  merging  them  in  Sy ,  or  that  are  merged  in  Sy  and  not  in 
some  Si  and  merging  them  in  Si.  Each  such  merge  step  is  also  /- conservative. 
When  this  process  terminates,  S  is  once  again  canonical.  The  solution  sets  Si 
are  normalized  with  respect  to  Sy  in  order  to  ensure  that  the  entries  are  in  the 
normalized  form  for  lookup  during  canonization. 

4  For  z  >  0,  Si  is  maintained  in  z-solved  form  and  hence,  Si({x})  =  {x,  Si(x)}. 
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Invariants.  As  with  congruence  closure,  several  key  invariants  are  needed  to 
ensure  that  the  solution  state  S  is  maintained  in  canonical  form  whenever  it  is 
given  as  the  argument  to  process.  If  S  is  canonical  and  a  and  b  are  canonical 
with  respect  to  S,  then  for  (S']  a'  =  b')  =  abstract(S ;  a  =  b ),  S'  is  canonical, 
and  a '  and  b '  are  canonical  with  respect  to  S'.  The  state  abstract (5;  a  =  b)  I- 
preserves  (S;  a  =  b).  A  solution  state  is  said  to  be  well-formed  if  Sy  is  functional 
and  idempotent,  So  is  normalized,  and  each  Si  is  functional,  idempotent,  and  in 
solved  form.  Note  that  if  S  is  well-formed,  confluent,  and  each  Si  is  normalized, 
then  it  is  canonical.  When  S  is  well-formed,  and  S'  =  mergev(S;  x  =  y)  or 
S'  =  merge^S;  x  =  y),  then  S'  is  well-formed  and  /- preserves  (S;x  =  y).  If  S 
is  well-formed  and  congruence-closed,  and  S'  =  normalize(S ),  then  S'  is  well- 
formed  and  each  S'  is  normalized.  If  S'  =  normalize (S) ,  then  each  5-  is  in 
solved  form  because  if  x  replaces  y  on  the  right-hand  side  of  a  solution  set  Si, 
then  Si(y)  =  y  since  Si  is  in  i-solved  form.  By  congruence  closure,  we  already 
have  that  Si(x)  =  Si(y)  =  y.  Therefore,  the  uniform  replacement  of  y  by  x 
ensures  that  S[(x)  =  x,  thus  leaving  S  in  solved  form.  If  S'  —  close* (S),  where 
S  is  well-formed,  then  S'  is  canonical. 

Variations.  As  with  congruence  closure,  once  S  is  confluent,  it  is  safe  to 
strengthen  the  normalization  step  to  replace  each  Si  by  Sy[Si].  This  renders 
Sq1  functional,  but  S f1  may  still  be  non-functional  for  i  >  0,  since  it  might 
contain  left-hand  side  variables  that  are  local.  However,  if  Si  is  taken  to  be  Si 
restricted  to  dom(Sy ),  then  S f1  with  the  strengthened  normalization  is  func¬ 
tional  and  can  be  used  in  canonization.  The  solutions  for  local  variables  can 
be  safely  discarded  in  an  actual  implementation.  The  canonization  and  variable 
abstraction  steps  can  be  combined  within  a  single  recursion. 

Termination.  The  operations  S[a  =  b ]  and  abstract*  (S;  a  =  b)  are  easily  seen 
to  be  terminating.  The  operation  close*  (S)  also  terminates  because  the  sum  of 
the  number  of  equivalence  classes  of  variables  in  dom(Sy)  with  respect  to  each 
of  the  solution  sets  Sy ,  So,  Si, . . . ,  SV,  decreases  with  each  merge  operation. 

Soundness  and  Completeness.  We  have  already  seen  that  each  of  the  steps: 
canonization,  variable  abstraction,  composition,  merging,  and  normalization, 
is  /- conservative.  It  therefore  follows  that  if  S'  =  process(S;T ),  then  S'  I- 
preserves  S.  Hence,  if  S"[c]  =  S"[d],  then  clearly  |  =j  (S'  b  c  =  d),  and  hence 
|=/  (5;T  b  c  =  d). 

The  completeness  argument  requires  the  demonstration  that  if  S"[c]  ^  S"[d], 
then  |^=/  (S'  \~  c  =  d)  when  S'  is  canonical.  This  is  done  by  means  of  a  con¬ 
struction  of  Ms>  and  ps>  such  that  Msyps'  |=  S'  but  Msyps'  |^=  c  =  d.  The 
domain  D  consists  of  canonical  terms  e  such  that  S"[e]  =  e.  As  with  congruence 
closure,  Ms>  is  defined  so  that  Ms>(f)(e\, . . .  ,en)  =  S'lf(e i, . . .  ,en)\.  The  as¬ 
signment  ps>  is  defined  so  that  ps'(x)  =  Sy(x).  By  induction  on  c,  we  have  that 
Ms>\c\ps'  =  S"[c].  We  can  also  easily  check  that  Msyps'  |=  S'. 

It  is  also  the  case  that  Ms>  is  an  /-model  since  Ms>  is  isomorphic  to  Mi 
for  each  i,  1  <  i  <  N.  This  can  be  demonstrated  by  constructing  a  bijective 
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map  /ii  between  D  and  the  domain  Di  corresponding  to  Mi  so  that  fii{x)  =  a', 
where  i r;[a']  =  Si(x),  /i;(/(ai, . . . ,  an))  =  /0;  (ax /i;(an))  if  /  G  0*,  and 
7ri_1(/(ai, . . . ,  an),  otherwise.  It  can  then  be  verified  that  for  any  /  E  6i  and 
terms  cq, . . .  ,an  in  D ,  /ii(MS'(f)(ai, . . .  ,an))  =  Mi(/)(/ii(ai), . . .  ,/ii(an)).  This 
concludes  the  proof  of  completeness. 

Convexity  revisited.  As  in  Section  4,  the  term  model  construction  of  Ms>  once 
again  establishes  that  /-validity  is  convex.  In  other  words,  a  sequent  |  =/  (T  b 
ci  =  d\  V  . . .  V  cn  =  dn)  iff  |=/  (Thq  =  dk)  for  some  k,  1  <  k  <  n. 


6  Conclusions 

Ground  decision  procedures  for  equality  are  crucial  for  discharging  the  myriad 
proof  obligations  that  arise  in  numerous  applications  of  automated  reasoning. 
These  goals  typically  contain  operations  from  a  combination  of  theories,  includ¬ 
ing  uninterpreted  symbols.  Shostak’s  basic  method  deals  only  with  the  combi¬ 
nation  of  a  single  canonizable,  solvable  theory  with  equality  over  uninterpreted 
function  symbols.  Indeed,  in  all  previous  work  based  on  Shostak’s  method,  only 
the  basic  combination  is  considered.  Though  Shostak  asserted  that  the  basic 
combination  was  adequate  to  cover  the  more  general  case  of  multiple  Shostak 
theories,  this  claim  has  turned  out  to  be  unsubstantiated.  We  have  given  here  the 
first  Shostak-style  combination  method  for  the  general  case  of  multiple  Shostak 
theories.  The  algorithm  is  quite  simple  and  is  supported  by  straightforward  ar¬ 
guments  for  termination,  soundness,  and  completeness. 

Shostak’s  combination  method,  as  we  have  described  it,  is  clearly  an  instance 
of  a  Nelson-Oppen  combination  [NO 79]  since  it  involves  the  exchange  of  equal¬ 
ities  between  variables  through  the  solution  set  Sy-  The  added  advantage  of  a 
Shostak  combination  is  that  it  combines  the  canonizers  of  the  individual  theories 
into  a  global  canonizer.  The  definition  of  such  a  canonizer  for  multiple  Shostak 
theories  is  the  key  contribution  of  this  paper.  The  technique  of  achieving  con¬ 
fluence  across  the  different  solution  sets  is  unique  to  our  method.  Confluence 
is  needed  for  obtaining  useful  canonical  forms,  and  is  therefore  not  essential 
in  a  general  Nelson-Oppen  combination.  The  global  canonizer  S{a}  can  be  ap¬ 
plied  to  input  formulas  to  discharge  queries  and  simplify  input  formulas.  The 
reduction  to  canonical  form  with  respect  to  the  given  equalities  helps  keep  the 
size  of  the  term  universe  small,  and  makes  the  algorithm  more  efficient  than 
a  black  box  Nelson-Oppen  combination.  The  decision  algorithm  for  a  Shostak 
theory  given  in  Section  4  fits  the  requirements  for  a  black  box  procedure  that 
can  be  used  within  a  Nelson-Oppen  combination.  The  Nelson-Oppen  combi¬ 
nation  of  Shostak  theories  with  other  decision  procedures  has  been  studied  by 
Tiwari  [TiwOO],  Barrett,  Dill,  and  Stump  [BDS02],  and  Ganzinger  [Gan02],  but 
none  of  these  methods  includes  a  general  canonization  procedure  as  is  required 
for  a  Shostak  combination. 
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Variable  abstraction  is  also  used  in  the  combination  unification  procedure  of 
Baader  and  Schulz  [BS96],  which  addresses  a  similar  problem  to  that  of  com¬ 
bining  Shostak  solvers.  In  our  case,  there  is  no  need  to  ensure  that  solutions 
are  compatible  across  distinct  theories.  Furthermore,  variable  dependencies  can 
be  cyclic  across  theories  so  that  it  is  possible  to  have  y  E  vars(Si(x))  and 
x  E  vars{Sj{y))  for  i  ^  j.  Our  algorithm  can  be  easily  and  usefully  adapted 
for  combining  unification  and  matching  algorithms  with  constraint  solving  in 
Shostak  theories. 

Insights  derived  from  the  Nelson-Oppen  combination  method  have  been  cru¬ 
cial  in  the  design  of  our  algorithm  and  its  proof.  Our  presentation  here  is  different 
from  that  of  our  previous  algorithm  for  the  basic  Shostak  combination  [RS01] 
in  the  use  of  variable  abstraction  and  the  theory-wise  separation  of  solution 
sets.  Our  proof  of  the  basic  algorithm  additionally  demonstrated  the  existence 
of  proof  objects  in  a  sound  and  complete  proof  system.  This  can  easily  be  repli¬ 
cated  for  the  general  algorithm  studied  here.  The  soundness  and  completeness 
proofs  given  here  are  for  composable  theories  and  avoid  the  use  of  cr-models. 

Our  Shostak-style  algorithm  fits  modularly  within  the  Nelson-Oppen  frame¬ 
work.  It  can  be  employed  within  a  Nelson-Oppen  combination  (as  suggested 
by  Rushby  [CLS96])  in  which  there  are  other  decision  procedures  that  generate 
equalities  between  variables.  It  is  also  possible  to  combine  it  with  decision  pro¬ 
cedures  that  are  not  disjoint,  as  for  example  with  linear  arithmetic  inequalities. 
Here,  the  existence  of  a  canonizer  with  respect  to  equality  is  useful  for  repre¬ 
senting  inequality  information  in  a  canonical  form.  A  variant  of  the  procedure 
described  here  is  implemented  in  ICS  [FORSOl]  in  exactly  such  a  combination. 
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Abstract.  We  show  that  the  confluence  of  shallow  linear  term  rewrite  systems 
is  decidable.  The  decision  procedure  is  a  nontrivial  generalization  of  the  polyno¬ 
mial  time  algorithms  for  deciding  confluence  of  ground  and  restricted  non- ground 
term  rewrite  systems  presented  in  [13,2].  Our  algorithm  has  a  polynomial  time 
complexity  if  the  maximum  arity  of  a  function  symbol  in  the  signature  is  con¬ 
sidered  a  constant.  We  also  give  EXPTIME-hardness  proofs  for  reachability  and 
confluence  of  shallow  term  rewrite  systems. 


1  Introduction 

Programming  language  interpreters,  proving  equations  (e.g.  x3  =  x  implies  the  ring 
is  Abelian),  abstract  data  types,  program  transformation  and  optimization,  and  even 
computation  itself  (e.g.,  Turing  machine)  can  all  be  specified  by  a  set  of  rules,  called 
a  rewrite  system.  The  rules  are  used  to  replace  (“reduce”)  subexpressions  of  given  ex¬ 
pressions  by  other  expressions  (usually  equivalent  ones  in  some  sense).  A  fundamental 
property  of  a  rewrite  system  is  the  confluence  or  Church-Rosser  property.  Informally, 
confluence  states  that  if  an  expression  a  can  be  reduced  (in  zero  or  more  steps)  to  two 
different  expressions  b  and  c,  then  there  is  a  common  expression  d  to  which  b  and  c 
can  be  reduced  in  zero  or  more  steps.  Confluence  implies  uniqueness  of  normal  (“irre¬ 
ducible”)  forms  and  helps  to  “determinise”  their  search  by  avoiding  backtracking. 

In  general,  confluence  is  well-known  to  be  undecidable;  however,  it  is  known  to 
be  decidable  for  terminating  systems  [8]  and  for  the  subclass  of  arbitrary  variable-free 
(“ground”)  systems  [4, 11].  Ground  systems  include  as  a  subclass  the  tree  automata 
model,  which  has  important  computer  science  applications.  The  previous  decidability 
proofs  of  confluence  for  ground  systems  [4, 1 1]  were  based  on  tree-automata  techniques 
and  showed  that  this  problem  was  in  EXPTIME,  but  no  nontrivial  lower  bounds  were 
known.  Hence  the  exact  complexity  of  this  problem  was  open  until  last  year,  when  a 
series  of  papers  [7, 2, 13, 6]  culminated  in  a  polynomial  time  algorithm  for  this  problem 
for  shallow  and  rule-linear  systems,  which  include  ground  systems  as  a  special  case.  In 
a  shallow  system  variables  in  the  rules  cannot  appear  at  depth  more  than  one.  Shallow 
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systems  have  been  well-studied  in  other  contexts  [10,3].  Linearity  in  [13,6],  called 
rule-linearity  here,  means  each  variable  can  appear  at  most  once  in  the  entire  rule.  Thus, 
commutativity  (x+y  =  y+x)  is  a  shallow  equation  but  not  rule-linear,  and  associativity 
is  neither  shallow  nor  rule-linear. 

In  this  paper,  we  establish  decidability  of  confluence  for  shallow  systems  in  which 
the  left-hand  side  and  right-hand  side  are  independently  linear,  i.e.,  a  variable  can  have 
two  occurrences  in  a  rule — once  in  each  side  of  the  rule.  In  fact,  the  decision  procedure 
runs  in  polynomial  time  if  we  assume  that  the  maximum  arity  of  a  function  symbol  in 
the  signature  is  a  constant.  The  results  in  this  paper  subsume  the  shallow  rule-linear 
systems  of  [13]  as  a  special  case.  The  algorithm  is  a  nontrivial  generalization  of  the 
algorithms  in  [2, 13].  We  introduce  a  notion  of  marked  terms  and  marked  rewriting,  and 
then  generalize  the  central  concept  of  top  stability  in  [2].  The  conditions  to  be  checked 
by  the  algorithm  are  also  generalized  and  the  constructions  are  more  involved.  We  also 
prove  that  the  reachability,  joinability  and  confluence  problems  are  all  EXPTIME-hard 
for  shallow  non-linear  systems  and  all  are  known  to  be  undecidable  for  linear  non¬ 
shallow  systems  [15],  which  indicates  that  the  linearity  and  shallowness  assumptions 
are  fairly  tight. 

1.1  Preliminaries 

Let  T  be  a  (finite)  set  of  function  symbols  with  an  arity  function  arity:  T  — >•  IN . 
Function  symbols  /  with  arity  (f)  =  n,  denoted  by  f^n\  are  called  n-ary  symbols 
(when  n  —  1,  one  says  unary  and  when  n  —  2,  binary).  If  arity (f)  =  0,  then  / 
is  a  constant  symbol.  Let  T  be  a  set  of  variable  symbols.  The  set  of  terms  over  T 
and  A,  denoted  by  T(T,  X),  is  the  smallest  set  containing  all  constant  and  variable 
symbols  such  that  f(t  i,  ...,tn)  is  in  T(T,  X)  whenever  fed7,  arity  (f)  =  n,  and 
t\ , . . . ,  tn  G  T (T i  X).  A  position  is  a  sequence  of  positive  integers.  If  p  is  a  position 
and  t  is  a  term,  then  by  t\p  we  denote  the  subterm  oft  at  position  p:  we  have  t\\  =  t 
(where  A  denotes  the  empty  sequence)  and  f(t\, ...  ,tn)\i.p  =  U\p  if  1  <  i  <  n  (and 
is  undefined  if  i  >  n).  We  also  write  t[s]p  to  denote  the  term  obtained  by  replacing 
in  t  the  subterm  at  position  p  by  the  term  s.  For  example,  if  t  is  f(a,g(b,  h(c)),d), 
then  1 12.2.1  =  c,  and  t[d\ 2.2  =  f(a,g(b,d),d).  By  |s|  we  denote  the  size  (number  of 
symbols)  of  a  term  s:  we  have  \a\  =  1  if  a  is  a  constant  symbol  or  a  variable,  and 
|/(£i, . . . ,  tn)\  =  1  +  \ti  \  +  . . .  +  \tn\.  The  depth  of  a  term  s  is  0  if  s  is  a  variable  or  a 
constant,  and  1  +  maxi  depth(si)  if  s  =  Terms  with  depth  0  are  denoted 

by  a,  13,  with  possible  subscripts. 

If  ^  is  a  binary  relation  on  a  set  S,  then  — >•+  is  its  transitive  closure,  G-  is  its 
inverse,  and  — >•*  is  its  reflexive-transitive  closure.  Two  elements  s  and  t  of  S  are  called 
joinable  by  — L  denoted  s  It,  if  there  exists  a  u  in  S  such  that  s  — )>*  u  and  t  —>*  u.  The 
relation  — >•  is  called  confluent  or  Church-Rosser  if  the  relation  *  o  — )►*  is  contained 
in  — )►*  o  that  is,  for  all  s,  t\  and  t2  in  S,  if  s  — )>*  t\  and  s  — )>*  t2,  then  t\  1 12.  An 
equivalent  definition  of  confluence  of  — >•  is  that  is  contained  in  — )►*  o  that  is, 
all  s  and  t  in  S  such  that  s  t  are  joinable. 

A  substitution  a  is  a  mapping  from  variables  to  terms.  It  can  be  homomorphically 
extended  to  a  function  from  terms  to  terms:  using  a  postfix  notation,  ta  denotes  the 
result  of  simultaneously  replacing  in  t  every  x  G  Dom(o )  by  xa.  Substitutions  are 
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sometimes  written  as  finite  sets  of  pairs  {x\  U, . . . , xn  I-)*  tn },  where  each  x\  is  a 
variable  and  each  ti  is  a  term.  For  example,  if  a  is  {x  i-^  f(b,  y),y  a},  then  g(x,  y)a 
is  g{f{b,y),a). 

A  rewrite  rule  is  a  pair  of  terms  (Z,  r),  denoted  by  l  r,  with  left-hand  side  (lhs) 
l  and  right-hand  side  (rhs)  r.  A  term  rewrite  system  (TRS)  R  is  a  finite  set  of  rewrite 
rules.  We  say  that  s  rewrites  to  t  in  one  step  at  position  p  (by  R ),  denoted  by  s  —>r,p  t, 
if  s \p  =  la  and  t  =  s[ra\p ,  for  some  l  — >•  r  E  and  substitution  cr.  If  p  =  A,  then  the 
rewrite  step  is  said  to  be  applied  at  the  topmost  position  (at  the  root)  and  is  denoted  by 
s  -ArR  t;  it  is  denoted  by  s  — t  otherwise.  The  rewrite  relation  —>R  induced  by  R  on 
T (T ,  X)  is  defined  by  s  —>r  t  if  s  —>r,p  t  for  some  position  p. 

A  ( rewrite)  derivation  or  proof  (from  s)  is  a  sequence  of  rewrite  steps  (starting  from 
s),  that  is,  a  sequence  s  —>r  si  —>r  S2  —>r  —  The  size  |i2|  of  a  TRS  R  of  the  form 
{h  r\ , . . . ,  Zn  — >•  rn}  is  |Zi |  +  \r\ \  +  . . .  +  \ln\  +  \rn\. 


Definition  1.  A  term  t  is  called 

-  linear  if  no  variable  occurs  more  than  once  in  t. 

-  shallow  if  no  variable  occurs  in  t  at  depth  greater  than  1,  i.e.,  ift \p  is  a  variable, 
then  p  is  a  position  of  length  zero  or  one. 

-  flat  ift  is  a  non-constant  term  of  the  form  /(si, . . . ,  sn)  where  all  Si  are  variables 
or  constants. 

Definition  2.  Let  Rbe  a  TRS. 

A  term  s  is  reachable  from  t  by  Rif  t  ~^R  s. 

Two  terms  s  and  t  are  equivalent  by  Rif  s  R  t. 

Two  terms  s  and  t  are  joinable  by  R,  denoted  by  s  ^  t,  if  they  are  joinable  by  —>r. 

A  term  s  is  R- irreducible  if  there  is  no  term  t  s.t.  s  —>r  t. 

The  TRS  R  is  confluent  if  the  relation  —>r  is  confluent  on  T (T ,  X). 

We  assume  that  R  is  a  shallow  and  linear  term  rewrite  system,  that  is,  if  s  -A  t  is  a 
rule  in  R ,  then  s  and  t  are  both  linear  and  shallow  terms.  Unlike  previous  results  in  [13, 
6],  the  terms  s  and  t  are  allowed  to  share  variables. 

2  Confluence  of  Shallow  and  Linear  Rewrite  Systems 

Assuming  that  the  maximum  arity  of  a  function  symbol  in  T  is  bounded  by  a  con¬ 
stant,  we  show  that  confluence  of  shallow  and  linear  term  rewrite  system  R  over  T  can 
be  decided  in  polynomial  time.  The  proof  of  this  fact  uses  suitable  generalizations  of 
the  techniques  in  [2, 13].  In  Section  2.1  we  argue  that  without  loss  of  generality,  we 
can  restrict  the  signature  T  to  contain  exactly  one  function  symbol  with  nonzero  arity. 
Thereafter,  we  transform  the  rewrite  system  R  into  a  flat  rewrite  system  in  Section  2.2. 
The  flat  linear  term  rewrite  system  is  saturated  under  ordered  chaining  inference  rule  in 
Section  2.3  to  construct  a  rewrite  closure,  which  has  several  useful  properties.  The  rest 
of  the  proof  relies  on  the  notion  of  top-stable  and  marked  top-stable  terms  (Section  2.4), 
the  ability  to  compute  these  sets  (Section  2.5),  and  relating  confluence  of  a  saturated  flat 
linear  rewrite  system  to  efficiently  checkable  properties  over  these  sets  (Section  2.6). 
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2.1  Simplifying  the  Signature 

Terms  over  an  arbitrary  signature  T  can  be  encoded  by  terms  over  a  signature  F' 
containing  at  most  one  function  symbol  with  non-zero  arity.  We  may  assume  that  T 
contains  at  least  one  constant  e  that  does  not  appear  in  R. 

Proposition  1.  There  exists  an  injective  mapping  a  from  terms  over  an  arbitrary  T  to 
terms  over  a  signature  F'  containing  exactly  one  function  symbol  (with  non-zero  fixed 
arity)  such  that  if  R'  is  defined  as  {cr(s)  — >  a(t)  :  s  — »•  t  E  R},  then  R  is  confluent  if 
and  only  if  R'  is  confluent. 

Proof  (Sketch)  Let  m  be  one  plus  the  maximum  arity  of  any  function  symbol  in  F. 
Define  the  new  signature  F1  as 

T'  =  {/i(°)  :  £f,l>0}U  {/(m)}  U  {c(°>  :  6  T}, 


where  /  is  a  new  symbol.  Define  the  map  a  as  follows:  for  each  h  E  F  with  arity  l  >  0, 

. . ,  ti))  =  f(cr(ti ), . . . ,  a(ti),  e,...,e,h) 

where  the  number  of  e’s  above  equals  m  —  l  —  1,  and  for  each  c  G  J  with  arity  0, 
cr(c)  =  c.  The  mapping  a  is  clearly  injective,  but  not  surjective.  We  can  classify  terms 
over  F'  into  type  1  and  type  2  terms  (using  a  simple  sorted  signature)  so  that  terms  of 
type  1  exactly  correspond  to  Range(a).  It  is  easy  to  see  that  there  is  a  bijective  corre¬ 
spondence  between  proofs  in  R  and  proofs  in  R'  over  terms  in  Range(a).  Combining 
this  observation  with  a  result  in  [16],  which  states  that  proving  confluence  for  arbitrary 
terms  over  the  signature  is  equivalent  to  proving  confluence  of  the  well-typed  terms 
according  to  any  many- sorted  discipline  which  is  compatible  with  the  rewrite  system 
under  consideration,  it  follows  that  R  is  confluent  iff  R'  is  confluent. 

2.2  Flat  Representation 

In  the  transformation  described  in  Section  2.1,  the  properties  of  being  linear  and 
shallow  are  preserved.  We  next  flatten  the  term  rewrite  system  so  that  the  depth  of  each 
term  is  at  most  one.  In  particular,  given  a  linear  shallow  term  rewrite  system  R ,  it  can 
be  transformed  so  that  each  rule  in  R  is  of  the  form 


•  5  ^  C 

(Fc) 

c  — >•  /(ai, . . 

-  •  5  C^ra)  (Bc) 

/(ai,.. 

•  5  &m)  ^  X 

(Fx) 

x  /(ai, . . 

-  •  5  C^ra)  {Bx) 

/(«!,•• 

•  ,  Olm)  /(Ar--)  Pm) 

(Pf) 

ol  — y  (3 

(Pc) 

where  each  a*,  /%,  a,  /?  is  a  depth  0  term  (i.e.,  either  a  variable  or  a  constant).  Rules  of 
the  form  Fc  and  Fx  are  called  forward  rules  and  denoted  by  F ,  rules  of  the  form  Bc 
and  Bx  are  called  backward  rules  and  denoted  by  B ,  and  rules  of  the  form  Pf  and  Pc  are 
called  permutation  rules  and  denoted  by  P.  Rules  of  the  form  Bx  are  called  insertion 
rules.  We  call  such  a  rewrite  system  R  di  flat  linear  rewrite  system. 

This  transformation  is  easily  done  by  replacing  each  non-constant  ground  term,  say 
s,  in  R  by  a  new  constant,  say  c,  and  adding  a  rule  s  —y  c  or  c  —y  s,  depending  on 
whether  s  occurred  on  the  left-  or  right-hand  side  of  R. 
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Flatten: 


u[s]  —>  t 
u[c\  —>  t,s  c 


t  —>  u[s] 
t  u[c\,c  s 


where  s  is  a  non-constant  ground  term  and  c  is  a  new  constant. 

Exhaustive  application  of  these  two  rules  results  in  a  flat  linear  shallow  rewrite  sys¬ 
tem.  This  transformation  can  be  done  in  polynomial  time,  as  the  number  of  applications 
of  the  above  two  rules  is  bounded  by  the  size  of  the  initial  rewrite  system  R.  It  is  easily 
seen  to  preserve  confluence,  see  [2, 13]  for  instance. 

2.3  Rewrite  Closure 

Let  y  order  terms  based  on  their  size,  that  is,  s  y  t  iff  |s|  >  \t\.  An  application  of 
an  F-rule  results  in  a  smaller  term,  whereas  application  of  a  5-rule  gives  a  bigger  term 
in  this  ordering. 

Definition  3.  A  term  s  is  size-irreducible  by  R  if  there  exists  no  term  t  such  that  s  ~^R  t 
and  s  y  t. 

Definition  4.  A  derivation  s  t  is  said  to  be  increasing  if  for  all  decompositions 
s  ~^R  s'  — >i^r,p  t'  ~^R  t,  there  is  no  step  at  a  prefix  position  ofp  in  t'  — yR  t. 

Observe  that  increasing  derivations  either  have  no  rewrite  step  at  position  A,  or  only 
one  at  the  beginning  of  the  derivation.  For  simplicity,  we  eliminate  the  former  case  by 
assuming  a  dummy  rewrite  rule  x  — >•  x  to  be  in  R ,  which  can  always  be  applied  at  the 
A  position  in  case  there  is  no  top  step. 

A  flat  linear  rewrite  system  can  be  saturated  under  the  following  ordered  chaining 
inference  to  give  an  enlarged  flat  linear  rewrite  system  with  some  nice  properties. 

s  t  w\u 1  — >•  i?  s  — >>  w\t 1  u  — >•  v 

Ordered  Chaining:  - — -  - — - 

w[s]a  — »•  va  sa  w[v]a 

where  a  is  the  most  general  unifier  of  t  and  u ,  neither  u  nor  t  is  a  variable,  and  s  )f-  t  in 
the  first  case  and  v  )f-  u  in  the  second.  Note  that  these  restrictions  ensure  that  ordered 
chaining  preserves  flatness  and  shallowness. 

Application  of  ordered  chaining  preserves  confluence.  Moreover,  if  the  maximum 
arity  m  is  a  constant,  then  saturation  under  ordered  chaining  can  be  performed  in  poly¬ 
nomial  time. 

Lemma  1.  Let  R  =  F  U  B  U  P  be  a  flat  linear  rewrite  system  saturated  under  the 
ordered  chaining  inference  rules.  If  s  ~^*R  t,  then  there  is  a  proof  of  the  form  s 
o  — yf  o  — t. 

Lemma  1  can  be  easily  established  using  proof  simplification  arguments  [1].  Similar 
proofs  have  been  presented  before,  but  for  the  special  case  of  ground  systems  [12] 
and  rule-linear  shallow  rewrite  systems  [14].  The  generalization  to  linear  shallow  case 
is  straightforward  and  the  details  are  skipped  here.  The  process  of  saturation,  in  this 
context,  can  be  interpreted  as  asymmetric  completion  [9] . 
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Lemma  2.  Let  Rbe  a  flat  linear  rewrite  system  saturated  under  the  ordered  chaining 
inference  rule  above.  If  s  is  size -irreducible  (or,  equivalently  F -irreducible)  and  s  ~^R 
t,  then  there  is  an  increasing  derivation  s  —>Rt. 

Example  1.  If  R  =  {x  +  y  — >•  y  +  x,x  — >•  0  +  x},  then  the  chaining  inferences  add 
a  new  rule  x  — >•  x  +  0  to  R.  An  increasing  derivation  for  0  +  x  — )>*  (x  +  0)  +  0  is 
0  +  X— )-X  +  0— )-(x  +  0)+0. 

2.4  Top-Stable  Terms,  Marked  Terms,  and  Marked  Rewriting 

In  the  rest  of  the  paper  we  assume  that  R  is  a  flat  linear  term  rewrite  system,  which 
is  also  saturated  under  the  chaining  inference  rule. 

Definition  5.  A  term  t  with  depth  greater  than  0  is  said  to  be  top-stable  if  it  cannot  be 
reduced  to  a  depth  0  term.  A  depth  0  term  a  is  top-stabilizable  if  it  is  equivalent  to  a 
top-stable  term. 

The  following  is  a  simple  consequence  of  Lemma  1 . 

Lemma  3.  The  set  So  =  {foL\  . . .  am  :  fa\  . . .  am  is  F -irreducible}  is  the  set  of  all 
top -stable  flat  terms. 

The  confluence  test  relies  heavily  on  the  concept  of  top- stable  terms  and  depth  0 
top-stabilizable  terms.  The  basic  observation  is  that  if  a  top-stabilizable  constant,  say 
c,  occurs  at  a  certain  position  in  a  term,  say  fct 2  . . .  tm,  then  this  term  (fct2  . . .  tm) 
is  equivalent  to  a  term  t  =  ftfl2  . .  .tm  with  the  property  that  t  rewrites  to  a  depth 
0  term  via  R  only  if  fxF  . .  .tm  also  does.  Here,  t\  is  chosen  to  be  top-stable.  So, 
when  considering  rewrites  on  fct  2  . .  .tm  or  fti  . . .  tm,  we  should  treat  c  and  t\  as 
variables.  This  is  roughly  the  intuition  behind  the  following  definitions  of  marked  terms 
and  marked  rewriting. 

Definition  6.  A  marking  M  of  a  term  t  is  a  set  of  leaf  positions  in  t.  A  term  t  with  a 
marking  M  is  denoted  by  (£,  M). 

A  marked  term  (s,M)  rewrites  to  (t,N)  via  marked  rewriting  if  s  — >i^ren^p  t 
for  some  position  p  0  M  such  that,  if  l \Pl  is  a  constant  then  p.pi  0  M,  and  the  new 
marking  N  satisfies:  (a)  for  all  q  disjoint  with  p,  we  have  q  E  M  iff  q  E  N,  (b)  for  all 
Pi,  P2  and  q  such  that  l\Pl  and  r\P2  are  the  same  variable,  p.pi.q  G  M  ijfp-P2-q  £  N, 
and  (c)  no  more  positions  are  in  N. 

A  marked  flat  term  (s  =  fai  . . .  am,  M)  is  said  to  be  correctly  marked  if  for  all 
i  G  M,  we  have  that  a*  is  top-stabilizable. 

Example  2.  The  marked  term  (0  +  x,  {1}),  denoted  as  0  +  x,  cannot  be  rewritten  with 
the  rule  0  +  x  — >•  x,  but  it  can  be  rewritten  with  the  rule  x  +  y^y  +  xtox  +  O. 

The  notions  of  size-irreducible  terms,  increasing  derivations  and  top- stable  terms 
can  be  adapted  naturally  to  marked  terms.  All  the  arguments  of  Lemmas  1  and  2  are 
also  valid  for  marked  rewriting,  and  we  have: 

Lemma  4.  If  (s,M)  — ^  (t,N),  then  there  is  a  derivation  of  the  form  (s,M)  ~^*F 
o  — o  — ^  (£,  N).  If(s,  M )  is  size-irreducible  and  (s,  M)  ~^*R  (£,  N),  then  there  is 
an  increasing  derivation  (s,M)  ~^R  (£,  N). 
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2.5  The  Sets  5^  and  J 

The  set  So  of  top-stable  flat  terms  can  be  extended  with  empty  markings  to  give  the 
new  set 

{(foil  •  •  •  0)  :  foil  •  •  •  0im  E  So} 

of  marked  top-stable  terms,  which  we  also  denote  by  So.  We  add  new  marked  flat  terms 
to  this  set  to  get  the  set  of  all  correctly  marked  top- stable  flat  terms  and  top-stabilizable 
constants  (and  a  variable  if  some  variable  is  top-stabilizable)  using  the  following  fix- 
point  computation,  starting  with  the  new  set  So . 


Sj+i  =  Sj  U  {c  :  c  fai  . . .  am  for  some  (fai  . . .  am,M)  E  Sj} 

U{(/ai  . . .  am,  M)  :  (fa  i  . . .  am,  M)  is  top-stable  and  Vi  E  M  :  a*  E  Sj} 

Note  that  by  Lemma  4,  (fai  . . .  amj  M )  is  top-stable  iff  it  is  irreducible  by  F  by 
marked  rewriting. 

This  iterative  procedure  of  computing  larger  and  larger  subsets  Sj  of  the  set  of  all 
marked  flat  terms  is  guaranteed  to  terminate  in  a  polynomial  number  of  steps.  This  is 
because  the  total  number  of  flat  marked  terms,  up  to  variable  renaming,  is  polynomial, 
assuming  m  is  a  constant. 

Lemma  5.  If  SQ 0  is  the  fixpoint  of  the  computation  above,  then,  up  to  variable  renam- 
ing,  (fai  . . .  am,  M)  E  Sqo  iff  (fa i  . . .  am,  M)  is  top-stable  and  correctly  marked, 
and  a  depth  0  term  c  E  S^  iff  c  is  top-stabilizable. 

Definition  7.  Two  marked  terms  (s,M)  and  (t,  N )  are  said  to  be  structurally  joinable 
if  (s ,  M)  ~^*R  (s',  M')  and  (t,  N)  ~^*R  (t',  N1)  for  some  terms  sf  and  t'  with  the  same 
structure  (i.e.,  Pos(s')  =  Pos(t '),  where  Pos(s')  is  the  set  of  all  positions  in  s')  and 
equivalent  leaf  terms  (i.e.,  for  all  leaf  positions1  p  E  Pos(s'),  we  have  that  s'\p  and  t'\p 
are  equivalent). 

We  use  the  following  fixpoint  computation  to  obtain  some  structurally  joinable  pairs 
of  marked  terms. 

J0  =  {((a,  0),  (/?,  M))  :  a  ^R  f)  and  a ,  f)  are  depth  0  terms} 

Jj+i  =  JiU{((a,0),(/^...^m,M)): 

(f  Pi  ...  Pm,  M)  is  top-stable, 

a^rR  fai...  am,  (fPi  ... pm ,  M)  ~^R  (fbi  . . .  bm,  N),  and 
Vi  E  {1 . . .  m}  either  a*  =  bi  or  ((a*,  0),  (6*,  iV|i))  E  Jj} 

where  iV|i  contains  the  positions  p  such  that  i.p  E  N.  Note  that  the  bi  can  be  considered 
depth  0  or  1  terms,  and  that  the  can  be  considered  depth  0  or  satisfying  ai  =  bi. 

Lemma  6.  If  is  the  fixpoint  of  above  computation,  then  it  is  the  set  of  all  structurally 
joinable  pairs  of  terms  of  the  form  ((a,  0),  (/?,  M))  or  ((a,  0),  (f  Pi  . . .  Pm,  M)),  where 
a,  P  are  depth  0  terms,  and  (f  Pi  . . .  Pm,  M)  is  aflat  top-stable  marked  term. 

1  Note  that  due  to  Proposition  1,  for  non-leaf  positions  p  E  Pos(s'),  s' \p  =t'\p  =  f. 
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2.6  The  Technical  Lemma  and  the  Result 

Definition  8.  A  pair  of  rules  (( l  — >  r),  (V  — >  r'))  is  useless  if  l  =  x  and  V  =  y  for  some 
variables  x  and  y  that  appear  in  r  and  r1,  respectively,  at  the  same  non-root  position. 

Two  top-stable  marked  flat  terms  (fai  . . .  amj  M )  and  ( fa[  . . .  a^,  M')  are  first- 
step  j  (finable  if  there  exist 

(fai...am,M)  (fsi...sm,N) 

(. f  (*[...  a'm,M' )  (fs'^.-s'^N1) 

such  that  every  Si  is  equivalent  to  its  corresponding  s[,  and  (( l  — >•  r),  [V  r '))  is  not 

useless. 

Note  that  first- step  joinability  can  be  efficiently  computed,  since  it  is  enough  to  consider 
subterms  Si  and  s[  of  depth  0  or  1:  if  r\i  is  a  variable  not  in  l ,  we  can  force  r\ia  =  r'\iO 
by  modifying  the  substitutions,  and  the  same  if  r1  \i  is  a  variable  not  in  V . 

The  polynomial  time  test  for  confluence  depends  on  the  following  characterization 
using  the  sets  and  Joo  and  the  notion  of  first- step  joinability. 

Lemma  7.  The  rewrite  system  R  is  confluent  if  and  only  if 

(cl)  Every  pair  a,  P  of  equivalent  depth  0  terms  is  joinable , 

(c2)  If  a  GG*  f/3 1 . . .  fim  crnd  (fP 1  . . .  /?mj  M)  G  Soo  then  (a,  0)  and  (fP 1 . . .  /?mj  M) 
are  structurally  joinable,  i.e.  ((a,  0),  (f  Pi  . . .  /?m,  M))  G  Joo 
(c3)  If  (fai  . . .  am,  M)  G  Soo  and  (f  Pi  . . .  /?m,  iV)  G  Soo  are  such  that  f  ai  . . .  am  GG* 
f  Pi  . . .  Pm,  then  these  two  marked  terms  in  Soq  are  first- step  joinable. 

Proof.  (Sketch)  A  correctly  marked  flat  term  (fai  . . .  am,  M)  can  be  lifted  to  a  term 
fsi  . . .  sm  by  replacing  the  marked  afs  by  equivalent  top-stable  and  F-irreducible 
terms  sfs. 

=X  Suppose  R  is  confluent.  Condition  (cl)  follows  from  the  definition  of  conflu¬ 
ence. 

Condition  (c2).  Suppose  a  GG*  f  Pi  . . .  Pm  and  (f  Pi  . . . /?m,M)  G  S^.  Using 
Lemma  5,  we  can  lift  (f  Pi  . . .  /?m,  M)  to  the  term  fti  . . .  tm-  Since  (f  Pi . . .  /?m,  M) 
is  top-stable,  it  follows  that  fti  . . .  is  top-stable.  Now,  a  is  equivalent  to  fti  . . .  tm 
and  by  confluence  they  are  joinable.  Since  both  are  size-irreducible,  there  are  increasing 
derivations  of  the  form  a  —>R  u  and  fti  . . .  tm  ~^r  u.  We  can  extract  an  increasing 
derivation  {f/3 1 .  ../3m,M)  ~^*R  {u‘  =  u[/3[\Pl  . . .  [/3k\Pk,  N  =  {p1, . . .  ,pk})  from  the 
latter  derivation  by  ignoring  all  rewrite  steps  at  or  below  marked  positions.  Using  an 
auxiliary  lemma,  we  can  show  that  there  exists  a  derivation  a  —>R  u[P"\Pl  . . .  [Pm\Pk, 
such  that  P"  GG^  P\. 

Condition  (c3).  Let  (fai  . . .  am ,  M)  and  (f  Pi  ...pm,N)  be  marked  flat  terms 
in  Soq  such  that  fai  . . .  am  GG^  f Pi  •  •  •  Pm •  Again,  using  Lemma  5,  we  can  lift 
(fai  . . .  am,  M)  and  (f  Pi  . . .  /?m,  N)  to  size-irreducible  terms  s  =  fsi  . . .  sm  and 
t  =  fti  . .  .tm-  By  confluence,  s  and  t  are  joinable,  and  hence  there  exist  increas- 
ing  derivations  fsi ...  sm  -^r)(T  fs[...s'm  u  sbA  fh  . .  .tm  -^\v^r,)e 

ft[  u.  Such  a  u  can  be  chosen  minimally,  and  consequently  the  pair 

(l  — >•  r,  V  — >•  r')  is  not  useless.  Clearly,  every  s[  is  equivalent  to  the  corresponding  t\. 
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Now,  by  suitably  modifying  the  substitutions  a  and  0 ,  we  can  get  marked  rewrite 
steps,  ( fa i  ...am,  M)  ( fs'{  . . .  s"  ,  M')  and  (fP 1  . . .  pm,  N )  -»(//_>r/)0/ 

(ft "  . . .  t'^,  N'),  such  that  s"  ++ R  s[  ++ R  t[  ++ R  t" .  This  shows  that  the  two  marked 
terms  (fai  . . .  am,  M )  and  (//? i  . . .  pm,  iV)  are  first- step  joinable. 

<(=:  Suppose  conditions  (cl),  (c2),  and  (c3)  are  satisfied,  but  R  is  not  confluent.  Let 
{ s ,  £}  be  a  witness  to  non-confluence,  that  is,  s  and  t  are  equivalent,  but  not  joinable. 
We  compare  witnesses  by  a  multiset  extension  of  the  ordering  >-  defined  earlier.  First, 
we  note  that  both  s  and  t  can  be  assumed  to  be  size-irreducible,  otherwise  we  would 
have  a  smaller  counterexample  to  confluence. 

If  s  =  fs\  . . .  sm,  then  each  Si  is  either  top-stable  or  of  depth  0.  Similarly,  for  the 
term  t.  Additionally,  if  the  top-stable  subterms  Si  are  equivalent  to  some  depth  0  terms, 
then  the  term  s  can  be  projected  onto  a  correctly  marked  flat  term  (fai  . . .  am,  M ) 
where  either  a*  is  the  depth  0  term  equivalent  to  Si  and  i  E  M,  or  a\  —  Si.  We 
differentiate  the  following  cases  based  on  the  form  of  s  and  t : 

Case  1.  s  and  t  are  both  depth  0  terms :  In  this  case,  Condition  (cl)  implies  that  s 
and  t  are  joinable,  a  contradiction. 

Case  2.  s  is  a  depth  0  term  a  and  t  =  fti  . . .  tm:  We  first  claim  that  each  ti  is 
equivalent  to  a  depth  0  term.  If  not,  then  w.l.o.g.  let  t\  not  be  equivalent  to  any  depth 
0  term.  Then  t\  cannot  be  “used”  in  the  proof  a  ++ *R  ft\  . . .  tm,  and  hence  it  can  be 
replaced  by  a  new  variable  x  in  this  proof  to  yield  a  new  proof  a'  *R  fxt 2  . . .  tm.  If 
a'  and  fxt\  . . .  tm  are  not  joinable,  then  they  are  a  smaller  witness  to  non-confluence, 
a  contradiction.  If  a'  and  fxt\  . . .  tm  are  joinable,  then  a'  =  x,  and  a  and  t\  are 
equivalent,  but  not  joinable.  The  pair  { a ,  ti}  is  a  smaller  witness  to  non-confluence,  a 
contradiction  again. 

Let  (//?  1  ...  M)  be  a  projection  of  t.  This  marked  term  is  top-stable  and  cor¬ 
rectly  marked,  and  hence  by  Lemma  5,  it  is  in  S^.  By  condition  (c2),  (a,  0)  and 
(f/3 1  . . .  Pm,  M)  are  structurally  joinable,  and  hence,  there  exist  (a,  0)  ~^*R  (s',  0)  and 
(fPi  . . .  Pm,  M)  ~^*R  (t' ,  M')  such  that  Pos(s’)  =  Pos(t' ),  and  for  every  leaf  position 
P  €  Pos(s')  we  have  sf\p  ±+*R  t'\p.lfM'  =  {pi  . .  .pk}Ahentf  =  t'lPli-f]^  . . .  \P\ik\Pk, 
for  some  i\. .  .ik  CM. 

If  we  mimic  the  derivation  fPi  . . .  Pm  t' ,  but  now  starting  from  ft\  . . .  tm, 
we  obtain  a  derivation  of  the  form  fti  . . .  tm  ~^r  t"  —  •  •  •  [tik]pk  •  Moreover, 

each  tij  is  equivalent  to  t'\Pj  =  Pij ,  and  hence,  for  each  leaf  position  p  of  s'  we  have 
that  s' \p  and  t"\p  are  equivalent,  and  size(t"\p)  <  size(t).  Since  a  and  fti  . . .  tm  are 
not  joinable,  s'  and  t"  are  not  joinable,  and  hence,  for  some  leaf  position  p  of  s'  we 
have  that  s' \p  and  t" \p  are  not  joinable.  For  such  a  p ,  {s' \p,  t" \p}  is  a  smaller  witness  to 
non-confluence,  a  contradiction. 


Case  3.  s  =  fs\  . . .  sm  and  t  =  fti  . . .  tm’  Using  arguments  similar  to  the  pre¬ 
vious  case,  we  can  assume  that  the  sfs  and  tfs  are  equivalent  to  depth  0  terms.  Let 
(fai  . . .  am,  M)  and  (f  Pi  . . .  /?m,  iV)  be  the  projections  of  s  and  t.  Both  these  marked 
terms  are  top-stable  and  correctly  marked  and  hence,  by  Lemma  5,  they  are  in  S^.  By 
condition  (c3),  they  are  first- step  joinable,  i.e.  there  exist  (fai  . . .  am,  M) 

(/si  M’)  and  (/ft  . . . /3m,  N)  -^r(h^r2)f)  ft[  . . .  t’m,  N’)  such  that  every  s'  is 

equivalent  to  its  corresponding  and  ((li  — >•  ri),  (l 2  — >•  ^2))  is  not  useless. 
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We  apply  these  rewrite  steps  to  the  original  terms  to  get  fs 


1  '  '  '  Sm 

fs 1  . . .  s"  =  s"  and  fh  . . .  tm  -+(/2_>r2)0/  ft"  •  •  •  C  =  bY  choosing  cr'  and  0' 
such  that  for  each  i  G  {1 ... m},  it  is  the  case  that  (a)  if  r±\i  (7*2 1 i)  is  a  variable  not 
appearing  in  li  (72),  then  s"  =  £•',  and  (b)  if  not,  then  either  s"  (£•')  is  a  constant  or 
it  coincides  with  one  of  the  Sj  ( tj )  or  it  coincides  with  s  (£).  But  it  cannot  happen  that 
both  s'l  and  t"  coincide  with  s  and  t ,  respectively.  This  is  because  the  rules  h 
and  I2  -+  r2  are  not  useless. 

By  construction,  every  s  •'  is  equivalent  to  its  corresponding  t".  Since  s  and  t  are  not 
joinable,  s"  and  t"  are  not  joinable,  and  hence,  for  some  i  E  {1 . . .  m}  we  have  that  s'- 
and  £  •'  are  not  joinable.  This  can  only  happen  for  case  (b)  above,  and  by  the  previous 
observation,  (s'- ,  t")  is  a  smaller  witness  to  non-confluence,  a  contradiction. 


Finally,  we  are  ready  to  state  the  main  result. 

Theorem  1.  Confluence  of  linear  shallow  term  rewrite  systems  can  be  decided  in  time 
polynomial  in  the  size  of  the  rewrite  system ,  assuming  the  maximum  arity  of  any  function 
symbol  is  bounded  by  a  constant. 


Proof  The  input  linear  shallow  rewrite  system  is  transformed  into  a  flat  linear  rewrite 
system  and  then  it  is  saturated  under  the  ordered  chaining  inference  rules.  Flattening 
increases  the  size  \T\  of  the  signature  by  a  linear  factor  of  the  input  size.  Now,  the 
number  of  flat  linear  rewrite  rules  is  bounded  by  a  polynomial  in  the  size  |J^|  of  the 
signature,  and  hence  these  two  transformation  steps  run  in  polynomial  time.  Next,  the 
sets  Soo  and  Joo  are  computed,  again  using  polynomial  time  fixpoint  computations. 
Finally,  confluence  is  tested  using  the  characterization  given  in  Lemma  7.  The  three 
conditions  in  Lemma  7  can  be  tested  in  polynomial  time:  (a)  Equivalent  depth  zero 
terms  can  be  identified  because  equivalence  testing  for  flat  linear  rewrite  systems  can  be 
efficiently  done,  say  using  standard  completion  modulo  permutation  rules.  Joinability  of 
depth  zero  terms  can  be  tested  in  polynomial  time  using  simple  fixpoint  computations, 
similar  to  previous  work  [13].  (b)  It  is  also  clear  that  the  conditions  (c2)  and  (c3)  can  be 
tested  in  polynomial  time. 

Example  3.  For  the  rewrite  system  R  of  Example  1 ,  the  set  contains  the  terms 
x  +  y,  0  +  x,  x  +  0,0  +  0,  where  the  positions  of  0  are  marked.  But  the  pairs  (0,0  + 
0) ,  (x,  0  +  x) ,  (x,  x  +  0)  are  easily  seen  to  be  structurally  joinable,  while  (x  +  0,  0  +  x) 
is  first- step  joinable.  Hence,  this  rewrite  system  is  confluent. 


3  Relaxing  the  Restrictions 

The  reachability,  2-joinability,  and  confluence  problems  for  shallow  term  rewrite 
systems  are  not  known  to  be  decidable.  But,  we  can  establish  the  following  lower- 
bounds. 

Theorem  2.  The  reachability  problem  for  shallow  term  rewrite  systems  is  EXPTIME- 
hard,  even  when  the  maximum  arity  is  a  constant. 
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Proof.  We  reduce  the  problem  of  deciding  non-emptiness  of  language  intersection  of  n 
bottom-up  tree-automata  to  this  problem.  The  proof  is  similar  to  the  proof  of  EXPTIME- 
hardness  of  rigid-reachability  of  shallow  terms  over  ground  systems  [5].  Let  R\  be 
the  union  of  the  reversed  transitions  of  all  the  n  tree-automata.  We  assume  that  the 
tree-automata  have  disjoint  states  with  accepting  states  q\ ,  ^2,  •  •  • ,  qn,  respectively.  Let 
Ri  =  {a  ->•  g(qi,f(q2,f(q3,  •••,  f(qn- 1  ,<?«)••  •)))>  fxx  ->•  x,  gxx  ->•  b},  where  g,  f 
are  two  new  binary  function  symbols  and  a,  b  are  two  new  constants.  Now,  a  rewrites  to 
b  via  Ri  U  R2  iff  the  intersection  of  languages  accepted  by  the  n  automata  is  nonempty. 

For  shallow  term  rewrite  systems,  EXPTIME-hardness  of  2-joinability  follows  from 
the  hardness  of  reachability  using  the  reduction  in  [15].  We  next  show  hardness  of 
deciding  confluence  of  shallow  term  rewrite  systems  by  modifying  the  proof  of  Theo¬ 
rem  2. 

Theorem  3.  Deciding  confluence  of  shallow  term  rewrite  systems  is  EXPTIME-hard, 
even  when  the  maximum  arity  is  a  constant. 

Proof.  We  add  additional  rewrite  rules  to  the  rewrite  system  generated  in  the  proof  of 
Theorem  2  to  make  the  system  confluent  exactly  when  b  is  reachable  from  a.  First, 
we  introduce  a  new  constant  c  in  the  signature  Q  of  the  tree  automata  and  convert  all 
constants  d  to  unary  terms  d(c).  The  rules  in  R\  are  modified  to  reflect  this  change.  We 
assume  that  some  ground  term  can  be  reached  from  any  tree-automata  state  q  via  R\ . 
Let  Rs  =  {c  — >•  a,  h(xi, . . . ,  £i_i,  6,  £i+i, . . . ,  xn)  — >•  b  for  all  h  E  Q ,  fxb  — >• 
b ,  fbx  — >•  b ,  gxb  b ,  gbx  b}.  Now,  consider  the  shallow  term  rewrite 
system  R  =  Ri  U  R2  U  R3  U  {d  ^  a,d  — >•  b },  where  R\  and  R2  are  as  in  proof  of 
Theorem  2  and  d  is  a  new  constant  in  the  signature.  We  claim  without  proof  that  R  is 
confluent  iff  the  n  tree-automata  have  a  non-empty  language  intersection. 

We  also  note  here  that  reachability,  2-joinability,  and  confluence  problems  are  un- 
decidable  for  linear  (non-shallow)  term  rewrite  systems  [15]. 

4  Conclusion 

In  this  paper  we  presented  a  polynomial  time  algorithm  for  deciding  confluence  of 
linear  shallow  term  rewrite  systems  where  each  variable  is  allowed  at  most  two  oc¬ 
currences  in  a  rule — one  on  each  side.  The  time  complexity  analysis  assumes  that  the 
maximum  arity  of  a  function  symbol  in  the  signature  is  a  constant.  Our  result  gen¬ 
eralizes  those  in  [2, 13].  We  also  show  that  the  reachability,  joinability  and  confluence 
problems  are  all  EXPTIME-hard  for  shallow  non-linear  systems,  and  all  three  are  known 
to  be  undecidable  for  linear  non-shallow  systems,  which  indicates  that  our  assumptions 
can  not  be  easily  relaxed  without  considerably  losing  efficiency.  Our  technique  can  be 
adapted  to  decide  ground  confluence  of  linear  shallow  term  rewrite  systems  in  poly¬ 
nomial  time.  It  is  not  clear  whether  our  method  can  give  polynomial  time  algorithms 
to  decide  confluence  when  we  have  non-fixed  arity  or  for  rule-linear  rewrite  systems 
(no  variable  appears  twice  in  the  whole  rule)  and  not  necessarily  shallow,  and  this  is  a 
matter  for  future  work. 
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Abstract 

SAL  stands  for  Symbolic  Analysis  Laboratory.  It  is  a  framework  for  combining  different  tools 
for  abstraction,  program  analysis,  theorem  proving,  and  model  checking  toward  the  calculation  of 
properties  (symbolic  analysis)  of  transition  systems.  A  key  part  of  the  SAL  framework  is  a  language 
for  describing  transition  systems.  This  language  serves  as  a  specification  language  and  as  the  target 
for  translators  that  extract  the  transition  system  description  for  popular  programming  languages 
such  as  Esterel,  Java,  and  Statecharts.  The  language  also  serves  as  a  common  source  for  driving 
different  analysis  tools  through  translators  from  the  SAL  language  to  the  input  format  for  the  tools, 
and  from  the  output  of  these  tools  back  to  the  SAL  language. 

The  SAL  language  was  originally  designed  in  collaboration  with  David  Dill  of  Stanford  University 
and  Thomas  Henzinger  of  the  University  of  California  at  Berkeley.  The  version  presented  here  is 
the  one  currently  accepted  by  the  tools  developed  at  SRI. 
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Chapter  1 


Introduction 


SAL  stands  for  Symbolic  Analysis  Laboratory.  It  is  a  framework  for  combining  different  tools 
for  abstraction,  program  analysis,  theorem  proving,  and  model  checking  toward  the  calculation  of 
properties  (symbolic  analysis)  of  transition  systems.  A  key  part  of  the  SAL  framework  is  a  language 
for  describing  transition  systems.  This  language  serves  as  a  specification  language  and  as  the  target 
for  translators  that  extract  the  transition  system  description  for  popular  programming  languages 
such  as  Esterel,  Java,  and  Statecharts.  The  language  also  serves  as  a  common  source  for  driving 
different  analysis  tools  through  translators  from  the  SAL  language  to  the  input  format  for  the  tools, 
and  from  the  output  of  these  tools  back  to  the  SAL  language. 

The  basic  high-level  requirements  on  the  SAL  language  are 

1.  Generality:  It  should  be  possible  to  effectively  capture  the  transition  semantics  of  a  wide 
variety  of  source  languages. 

2.  Minimality:  The  language  should  not  have  redundant  or  extraneous  features  that  add 
complexity  to  the  analysis.  The  language  must  capture  transition  system  behavior  without 
any  complicated  control  structures. 

3.  Semantic  Regularity:  The  semantics  of  the  language  ought  to  be  standard  and  straight¬ 
forward  so  that  it  is  easy  to  verify  the  correctness  of  the  various  translations  with  respect 
to  linear  and  branching  time  semantics.  The  semantics  should  be  definable  in  a  formal  logic 
such  as  PVS. 

4.  Language  Modularity:  The  language  should  be  parametric  with  respect  to  orthogonal 
features  such  as  the  type/expression  sublanguage,  the  transition  sublanguage,  and  the  module 
sublanguage. 

5.  Compositionality:  The  language  must  have  a  way  of  defining  transition  system  modules 
that  can  be  composed  in  a  meaningful  way.  Properties  of  systems  composed  from  modules 
can  then  be  derived  from  the  individual  module  properties. 

•  Synchronous  composition:  In  this  form  of  composition,  modules  react  to  inputs 
synchronously  or  in  zero  time,  as  with  combinational  circuitry  in  hardware.  In  order 
to  achieve  semantic  hygiene,  causal  loops  arising  in  such  synchronous  interactions  have 
to  be  eliminated.  The  constraints  on  the  language  for  the  elimination  of  causal  loops 
should  not  be  so  onerous  as  to  rule  out  sensible  specifications. 
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•  Asynchronous  composition:  Modules  that  are  driven  by  independent  clocks  are  mod¬ 
eled  by  means  of  interleaving  the  atomic  transitions  of  the  individual  modules. 

We  present  the  SAL  language  in  stages  consisting  of  the  type  system,  the  expression  language, 
the  transition  language,  modules,  synchronous  and  asynchronous  composition  of  modules,  and  the 
specification  of  systems.  The  language  is  largely  modular  in  these  choices  in  the  sense  that  many 
of  the  language  choices  can  be  independently  modified  without  affecting  the  other  choices.  The 
language  is  presented  in  terms  of  its  concrete  or  presentation  syntax  but  only  the  internal  or  abstract 
syntax  is  really  important  for  tool  interaction. 

The  SAL  language  is  not  that  different  from  the  input  languages  used  by  various  other  verification 
tools  such  as  SMV  [3],  Murphi  [4],  Mocha  [1],  and  SPIN  [2].  Like  these  languages,  SAL  describes 
transition  systems  in  terms  of  initialization  and  transition  commands.  These  can  be  given  by 
variable- wise  definitions  in  the  style  of  SMV  or  as  guarded  commands  in  the  style  of  Murphi. 
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Chapter  2 


A  Simple  Example:  An  N-bit  Adder 


An  TV-bit  ripple-carry  adder  module  is  specified  from  a  one-bit  adder  module  by  composing  a  base 
one-bit  adder  module  with  the  synchronous  multicomposition  of  N  —  1  one-bit  adder  modules.  The 
one-bit  adder  takes  three  inputs:  the  two  input  bits  a  and  b  and  the  carry-in  bit  cin,  and  returns 
two  outputs:  the  sum  bit  sum  and  the  carry-out  bit  cout.  See  Figure  2.1.  The  N-bit  adder  takes 
three  inputs:  the  two  input  bit-vectors  A  and  B  and  the  carry-in  bit  carryin,  and  returns  two 
outputs:  the  sum  vector  S  and  the  carry-out  vector  C.  See  Figure  2.2. 

The  adder  module  is  definitional,  as  is  usual  for  a  purely  combinational  circuit  description.  This 
means  there  are  no  guarded  commands,  and  the  adders  are  synchronously  composed. 

Note  that  the  requirement  that  types  be  nonempty  means  that  the  N-bit  adder  cannot  be  used  to 
model  a  1-bit  adder.  We  plan  on  allowing  empty  types  in  the  future,  see  Section  8.4. 


adder:  CONTEXT  = 

BEGIN 

onebitadder:  MODULE  = 

BEGIN 

INPUT  cin,  a,  b:  BOOLEAN 
OUTPUT  cout,  sum:  BOOLEAN 
DEFINITION 

sum  =  (a  XOR  b)  XOR  cin  ; 

cout  =  (a  AND  b)  OR  (a  AND  cin)  OR  (b  AND  cin) 

END; 

Nbitadder  [N  :  {n:  NATURAL  |  n  >  1}]  :  MODULE  = 

WITH  INPUT  A,  B  :  ARRAY  [0  ..  N-l]  OF  BOOLEAN,  carryin:  BOOLEAN; 

OUTPUT  S,  C  :  ARRAY  [0  ..  N-l]  OF  BOOLEAN 

RENAME  a  TO  A[0],  b  TO  B  [0] ,  cin  TO  carryin, 
sum  TO  S [0]  ,  cout  TO  C  [0]  IN 
onebitadder 

I  I 

(I  I  (i  :  [1  ..  N-l]): 

(RENAME  a  TO  A[i]  ,  b  TO  B[i]  ,  cin  TO  C[i-1]  , 
sum  TO  S  [i] ,  cout  TO  C  [i]  IN 
onebitadder) ) ; 

END 
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A  Simple  Example :  An  N-bit  Adder 


Figure  2.1:  Module  adder 


Figure  2.2:  Module  Nbitadder 
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Chapter  3 


The  Expression  Language 


The  conventions  used  in  presenting  the  SAL  grammar  are  that  tokens  are  given  in  teletype  font, 
[  optional  ]  indicates  that  optional  is  optional,  {category}^  indicates  one  or  more  occurrences  of 
the  syntactic  category  category  separated  by  commas,  and  {category}*  indicates  zero  or  more 
repetitions  of  category  separated  by  commas.  Separators  other  than  comma  can  be  used  so  that  a 
transition  given  by  a  set  of  named  guarded  commands  separated  by  the  choice  operator  []  can  be 
written  as  { NamedCommands }^-|  .  Nonterminals  are  written  in  italics. 

The  SAL  language  needs  to  be  liberal  in  order  to  accommodate  translations  from  other  source 
languages.  For  this  reason,  identifiers  include  a  large  number  of  operators.  The  special  symbols 
are  parentheses  ((,  )),  brackets  ([,  ]),  braces  ({,  }),  the  percent  sign  (°/0),  comma  (,),  period  (.), 
colon  (:),  semi-colon  (;),  single  quote  (;),  exclamation  point  (!),  hash  (#),  question  mark  (?),  and 
underscore  (_).  Tokens  can  be  separated  by  WhiteSpace ,  which  consists  of  spaces,  tabs,  carriage 
returns,  and  line  feeds. 


SpecialSymbol 

Letter 

Digit 

Identifier 

Numeral 


■■=  (  I  )  I  [  I  ]  I  {  I  >  I  7.  I  .  I  •  I 

:=  a  |  . . .  |  z  |  A  |  . . .  |  Z 
:  0  ...  9 

:=  Letter  {Letter  \  Digit  |  ?  |  _}* 

|  {  Opchar }+ 

:=  {Digit}+ 


!  I  #  I  ?  I  - 


An  Opchar  is  any  character  that  is  not  a  Letter ,  Digit ,  SpecialSymbol ,  or  WhiteSpace.  For  example, 
f  1_3  and  +-+  are  identifiers,  but  a+-l  is  three  tokens:  two  identifiers  (a  and  +-),  and  a  numeral. 

The  grammar  is  case-sensitive.  The  reserved  words  must  be  in  upper  case.  The  reserved  words  are: 


AND,  ARRAY,  BEGIN,  BOOLEAN,  CLAIM,  CONTEXT,  DATATYPE,  DEFINITION,  ELSE,  ELSIF, 
END,  ENDIF,  EXISTS,  FALSE,  FORALL,  GLOBAL,  IF,  IN,  INITIALIZATION,  INPUT,  INTEGER, 
LAMBDA,  LEMMA,  LET,  LOCAL,  MODULE,  NATURAL,  NOT,  NZINTEGER,  NZREAL,  OBLIGATION, 
OF,  OR,  OUTPUT,  REAL,  RENAME,  THEN,  THEOREM,  TO,  TRANSITION,  TRUE,  TYPE,  WITH,  XOR. 


Comments  in  SAL  are  preceded  by  the  °/0  symbol  and  terminated  by  an  end-of-line. 
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The  Expression  Language 


3.1  Types1 

The  SAL  language  supports  the  built-in  basic  types  for  booleans,  natural  numbers,  integers,  and 
reals.  New  basic  types  may  be  introduced  using  uninterpreted  type  declarations.  Types  may  be 
used  in  type  constructions  to  create  subtype,  subrange,  array,  function,  tuple,  and  record  types. 
Function,  tuple,  and  record  types  may  be  dependent.  In  addition  to  uninterpreted  type  declarations, 
that  introduce  a  name  without  a  defining  form,  type  declarations  may  be  used  to  introduce  names 
for  existing  types,  as  well  as  scalars  and  datatypes.  The  grammar  for  types  is  given  by 


TypeDef 


Type 


Basic  Type 
Name 
QualifiedN ame 
Subrange 
Sub  Type 
Bound 
Unbounded 
Array  Type 
IndexType 
Scalar  TypeName 
Tuple  Type 
FunctionType 
VarType 
RecordType 
StateType 
Scalar  Type 
DataType 
Constructors 
Accessors 


Type 

Scalar  Type 

DataType 

Basic  Type 

Name 

Subrange 

Sub  Type 

Array  Type 

Tuple  Type 

FunctionType 

RecordType 

StateType 

BOOLEAN  | REAL  | INTEGER  | NZ INTEGER  | NATURAL  | NZREAL 

Identifier 

Identifier[  {ActualP ammeters}  } !  Identifier 
[  Bound  .  .  Bound  ] 

{  Identifier  :  Type  I  Expression  } 

Unbounded  \  Expression 

ARRAY  IndexType  OF  Type 

INTEGER  |  Subrange  \  Scalar  TypeName 

Name 

[  VarType  ,  {  VarType }+  ] 

[  VarType  ->  Type  ] 

[  Identifier  :  ]  Type 
[#  {Identifier  :  Type}+  #] 

Module  .  STATE 
{{Identifier}^} 

DATATYPE  Constructors  END 
{Identifier[  (  Accessors )  ]}"j~ 

{Identifier  :  Type}+ 


A  TypeDef  is  a  type  expression  that  can  occur  as  the  body  of  a  type  declaration,  whereas  a  Type  is 
more  restrictive  and  circumscribes  the  types  that  can  be  used  within  an  expression  or  a  transition 
system  module.  Two  types  are  equivalent  if  they  are  identical  modulo  the  renaming  of  bound 
variables,  the  rearrangement  of  record  labels,  the  equality  of  subtype  predicates,  and  the  unfolding 
of  the  definitions  of  defined  types  that  are  not  scalar  types  or  datatypes.  Equivalence  for  types 
that  are  defined  to  be  uninterpreted,  scalar  types,  and  datatypes  is  just  name  equivalence.  Name 
equivalence  is  not  a  simple  concept  because  compound  names  consist  of  the  context  name,  actual 

XSAL  types  are  very  similar  to  PVS  types,  both  syntactically  and  semantically.  See  the  PVS  Language  Refer¬ 
ence  [5]. 
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3.1  Types 


7 


parameters,  and  the  identifier.  Two  names  are  equivalent  if  they  agree  on  the  context  name,  and 
the  identifier,  and  the  actual  parameters,  which  are  either  types  or  expressions,  are  equivalent. 
Types  in  SAL  (as  in  PVS)  are  modeled  as  sets,  and  two  types  are  equivalent  when  every  element 
of  one  is  an  element  of  the  other.  Thus  the  dependent  types 

[#  a:  INTEGER,  b:  {x:  INTEGER  I  x  <  a}  #] 

[#  b:  INTEGER,  a:  {x:  INTEGER  I  b  <  x}  #] 

are  equivalent,  and  similarly  for  tuples.  One  way  to  see  this  equivalence  is  to  note  that  each  is 
equivalent  to  the  type 

{r:  [#  a:  INTEGER,  b:  INTEGER  #]  I  r‘b  <  rfa} 

Note  that  in  an  array  type,  the  index  type  must  either  be  INTEGER,  a  subrange,  or  a  scalar  type. 
SAL  has  a  higher-order  type  system  since  it  contains  function  types  between  arbitrary  domain  and 
range  types.  SAL  types  need  not  be  finite,  and  the  REAL  and  INTEGER  types,  for  example,  are 
infinite.  The  REAL  type  is  the  mathematical  reals,  not  a  floating  point  representation.  Arrays  with 
infinite  index  and  range  types  are  also  admissible. 

There  are  a  fixed  set  of  subtyping  relations  among  the  types  that  naturally  corresponds  to  a  subset 
relation  between  the  denotations  of  these  types.  The  subrange  type  [a  .  .  b]  is  an  abbreviation 
for  {x:  INTEGER  I  a  <=  x  AND  x  <=  b},  [a  .  .  _]  is  an  abbreviation  for  {x:  INTEGER  |  a  <= 

x},  and  [_  .  .  b]  is  an  abbreviation  for  {x:  INTEGER  |  x  <=  b}.  The  type  NATURAL  is  merely 

an  abbreviation  for  {x:  INTEGER  |  0  <=  x}.  Any  subrange  is  a  subtype  of  a  larger  subrange.  It 

is  also  a  subtype  of  INTEGER.  An  array  (function)  type  A  is  a  subtype  of  another  array  (function) 
type  B  if  the  index  types  are  identical,  and  the  range  type  of  A  is  a  subtype  of  the  range  type  of  B. 
Similarly,  a  record  type  A  is  a  subtype  of  another  record  type  B  if  every  element  of  A  is  an  element 
of  L>,  which  means  the  label  sets  must  be  the  same,  though  as  described  in  type  equivalence,  the 
corresponding  types  do  not  have  to  be  in  the  subtype  relation. 

A  StateType  is  a  record  type  representing  the  state  of  the  specified  module.  This  is  described  in 
more  detail  below. 

All  types  must  be  checked  to  be  nonempty  through  the  possible  generation  of  proof  obligations 
entailing  nonemptiness. 

Recursive  datatypes  can  be  used  to  define  list  and  tree-like  types.  The  datatype  is  specified  by  a 
list  of  constructor  operations,  each  with  a  list  of  accessor  operations.  For  example,  the  list  type  of 
integers  is  constructed  as 

intlist :  TYPE  =  DATATYPE 

cons(car  :  INTEGER,  cdr  :  intlist), 
nil 
END 

Recognizers  are  automatically  generated  by  appending  a  ?  to  the  corresponding  constructor.  Thus 
cons?  and  nil?  are  recognizers  for  intlist.  These  may  be  used  in  definitions.  For  example, 
length  may  be  defined  recursively2  as 

2This  will  lead  to  proof  obligations  showing  that  the  function  is  total,  i.e.,  terminating. 
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length:  [intlist  ->  NATURAL]  = 

LAMBDA  (1st:  int list) : 

IF  nil? (1st)  THEN  0  ELSE  1  +  length(cdr (1st) )  END IF 


3.2  Expressions 

Expressions  in  the  SAL  language  have  to  be  type-correct  with  respect  to  the  types  in  the  type 
language.  The  expressions  consist  of  constants,  variables,  applications  with  Boolean,  arithmetic, 
and  bit- vector  operations,  and  array,  function,  tuple,  and  record  selection  and  updates.  Conditional 
(if-then-else)  expressions  are  also  part  of  the  expression  language. 


Expression  :=  NameExpr 

|  QualifiedN ameExpr 
|  Next  Variable 
|  Numeral 
|  Application 
|  InfixApplication 
|  Array  Selection 
|  Records  election 
|  TupleS election 
|  UpdateExpression 
|  Lambda  Abstraction 
|  QuantifiedExpression 
|  LetExpression 
|  SetExpression 
|  Array  Literal 
|  RecordLiteral 
|  TupleLiteral 
|  Conditional 
|  (  Expression  ) 

I  StatePred 
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NameExpr 
QualifiedNameExpr 
NextVariable 
Application 
Function 
Argument 
InfixApplication 
Array  Selection 
Records  election 
TupleS  election 
UpdateExpression 
Update 
UpdatePosition 
LambdaA  bstraction 
VarDecls 
VarDecl 
QuantifiedExpression 
Quantifier 
LetExpression 
LetDeclarations 
SetExpression 
SetPredExpression 
SetListExpression 
ArrayLiteral 
IndexVarDecl 
RecordLiteral 
RecordEntry 
TupleLiteral 
Conditional 
ThenRest 


Elslf 

StatePred 


Name 

QualifiedN ame 
Identifier  ; 

Function  Argument 

Expression 

({ Expression }+) 

Expression  Identifier  Expression 
Expression  [ Expression ] 

Expression .  Identifier 
Expression .  Numeral 
Expression  WITH  Update 
UpdatePosition  :=  Expression 

{Argument  |  [ Expression ]  |  .Identifier  \  . Numeral }+ 
LAMBDA  ( VarDecls )  :  Expression 
{  VarDecl }+ 

{Identifier}^  :  Type 

Quantifier  (  VarDecls )  :  Expression 

FORALL  | EXISTS 

LET  LetDeclarations  IN  Expression 
{Identifier  :  Type  =  Expression }+ 

SetListExpression  \  SetPredExpression 
{  Identifier  :  Type  I  Expression  } 

{  { Expression }+  } 

[  Undex  VarDecl]  Expression ] 

Identifier  :  IndexType 
(#  {RecordEntry}^#) 

Identifier  :=  Expression 
Argument 

IF  Expression  ThenRest 
THEN  Expression 
[  Elslf } 

ELSE  Expression  ENDIF 
ELS  IF  Expression  ThenRest 
Module  .  flNIT  |  TRANS ) 


The  unary  operators  include  boolean  negation  NOT,  and  integer  minus 
The  binary  operators  include 

•  Polymorphic  equality  =  and  disequality  /=.  Note  that  since  subtypes  are  semantically  the 
same  as  subsets,  equality  and  disequality  are  defined  on  the  maximal  supertype  of  a  type. 

•  Boolean  operations  of  conjunction  AND,  disjunction  OR,  implication  =>,  equivalence  <=>,  and 
exclusive-or  XOR 

•  Real  arithmetic  operations  of  addition  +,  subtraction  -,  multiplication  division  /,  and  the 

comparison  operators  <,  <=,  >,  >=.  Note  that  the  divisor  type  of  division  is  restricted  to 

NZREAL  and  the  type  rules  generate  a  proof  obligation  if  the  divisor  is  not  known  to  be  nonzero. 
The  integer  arithmetic  operations  of  DIV  and  MOD  are  included  in  the  binary  operations.  Both 
require  nonzero  integers,  i.e.,  NZINTEGER,  in  the  divisor  position  and  they  satisfy  the  equation 

a  =  b  *  (a  DIV  b)  +  (a  MOD  b ) 
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Although  the  parser  allows  any  Identifier  as  an  infix  operator,  it  is  clearly  useful  to  have  a  standard 
operator  precedence  so  that  expressions  such  as  y  +  1  =  x  AND  A  are  not  parsed  nonsensically,  e.g., 
as  y  +  (1  =  (x  AND  A)).  The  precedence  is  as  follows,  from  lowest  to  highest: 


<=> 


OR,  XOR 
AND 
=,/= 

>,>=,<,<= 

Other  I  dentifier 

+5 " 

*,/ 


<=>,  OR,  XOR,  AND,  +,  infix  -,  *,  and  /  are  all  left-associative,  =>  is  right-associative,  and  the  rest 
are  non-associative. 

The  LetExpression  is  parallel,  to  get  the  sequential  form  use  nested  LETs,  e.g., 

LET  a  =  f (b)  IN 
LET  b  =  f(a)  IN  e 

The  proof  obligations  generated  during  typechecking  are  called  type  correctness  conditions  (TCCs). 
In  addition  to  operations  with  subtype  domains  such  as  division,  the  sources  of  TCCs  include 
expressions  of  subrange  types,  recursive  datatypes,  recursive  definitions,  and  type  nonemptiness. 

An  expression  without  NextVariable s  is  called  a  current  expression  and  is  represented  by  the  nonter¬ 
minal  CExpression.  We  will  not  define  its  grammar  but  it  essentially  corresponds  to  the  grammar 
for  Expression  with  the  occurrences  of  NextVariable  removed. 

SAL  expressions  contain  two  kinds  of  variables:  logical  variables  and  state  variables.  The  state 
variables  are  either  current  variables  or  Next  Variables.  SAL  types  and  expressions  are  given  a 
semantics  with  respect  to  a  model  Ai  that  fixes  the  meanings  of  types,  constants,  and  operators, 
an  assignment  p  of  values  to  the  free  logical  variables,  and  an  assignment  of  values  to  the  current 
variables  x  and  the  NextVariable s  x'  by  a  pair  of  states  (r,  s).  The  meaning  of  expression  e  with 
respect  to  model  Ai,  assignment  p,  and  a  pair  of  states  (r,  s),  is  given  by  Af[e]^r^.  If  variable 
x  has  type  A ,  then  the  interpretation  of  x  in  state  s ,  s(x),  must  be  an  element  of  Ai {A}.  If  x  is 
a  variable  in  the  state  type,  then  A^[^](r?s>  =  r(x),  and  Ai  =  s(x).  The  interpretation  of 

types  and  operators  are  the  standard  ones.  When  expression  e  does  not  contain  any  NextVariable s, 
we  write  the  meaning  of  e  as  Ai  [e]r. 

The  StatePred  expressions  provide  access  to  the  initialization  predicate  and  transition  relations  for 
a  given  module  M.  In  particular,  M .  INIT  is  of  type  [M.  STATE  ->  BOOLEAN]  and  M .  TRANS  is  of 
type  [M.  STATE,  M.  STATE  ->  BOOLEAN]. 
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The  Transition  Language 


A  transition  system  module  consists  of  a  state  type,  an  invariant  definition  on  this  state  type,  an 
initialization  condition  on  this  state  type,  and  a  binary  transition  relation  of  a  specific  form  on  the 
state  type.  The  state  type  is  defined  by  four  pairwise  disjoint  sets  of  input ,  output ,  global ,  and  local 
variables.  The  input  and  global  variables  are  the  observed  variables  of  a  module  and  the  output, 
global,  and  local  variables  are  the  controlled  variables  of  the  module.  The  language  constructs  for 
defining  modules  from  transition  systems  are  treated  in  Chapter  5. 

The  transition  rules  are  constraints  on  the  current  and  next  states  of  the  transition.  The  current 
variables  are  written  as  X  whereas  the  next  state  variables  are  written  as  X J . 

4.1  Definitions 

Definitions  are  the  basic  constructs  used  to  build  up  the  invariants,  initializations,  and  transitions  of 
a  module.  Definitions  are  used  to  specify  the  trajectory  of  variables  in  a  computation  by  providing 
constraints  on  the  controlled  variables  in  a  transition  system.  For  variables  ranging  over  aggregate 
data  structures  like  records  or  arrays,  it  is  possible  to  define  each  component  separately.  For 
example, 

xJ  =  x  +  1 

simply  increments  the  state  variable  x,  where  xJ  is  the  newstate  of  the  variable, 
yJ[i]  =  3 

sets  the  new  state  of  the  array  y  to  be  3  at  index  i,  and  to  remain  unchanged  on  all  other  indices, 
and 

z .  f  oo .  1  [0]  =  y 

constrains  state  variable  z,  which  is  a  record  whose  f  oo  component  is  a  tuple,  whose  first  component 
in  turn  is  an  array  of  the  same  type  as  y. 

The  left-hand  side  of  a  definition  is  given  by  the  nonterminal  Lhs. 
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Lhs 
Access 
Array  Access 
Record  Access 
Tuple  Access 


Identifier[  ’  ]  { Access }* 

ArrayAccess  \  RecordAccess  \  TupleAccess 
[  Expression  ] 

.  Identifier 
.  Numeral 


Simple  definitions  are  of  the  form 


SimpleDefmition 

RhsDefinition 

RhsExpression 

RhsSelection 


Lhs  RhsDefinition 
RhsExpression  \  RhsSelection 
=  Expression 
IN  Expression 


For  an  RhsExpression ,  the  Lhs  is  simply  assigned  the  corresponding  value.  For  an  RhsSelection , 
the  Lhs  is  assigned  any  value  satisfying  the  expression,  which  must  be  a  predicate  (a  boolean- valued 
Lambda  Abstraction  or  a  SetExpression ).  This  predicate  must  be  satisfiable;  an  invariant  obligation 
is  generated  if  it  cannot  be  determined  to  be  nonempty. 

Note  that  in  an  Access ,  all  unspecified  components  are  unchanged,  thus  xJ  [i]  .name  =  Ed  is  equiv¬ 
alent  tox’  =  x  WITH  [i]  .name  :=  Ed.  If  the  given  transition  has  multiple  assignments  to  x,  they 
must  all  be  collected  to  get  the  equivalent  form,  for  example,  the  assignments 

xJ  [0] .name  =  Ed; 
xJ  [1] .name  =  A1 

are  equivalent  to  x’  =  x  WITH  [0]  .name  =  Ed  WITH  [1]  .name  =  Al. 

There  are  other  restrictions  on  the  Access.  Within  a  given  DEFINITION,  INITIALIZATION,  or 
TRANSITION  section  of  a  module  the  Lhs  accesses  must  all  be  unique.  Thus  the  assignments 

x> [3]  =  0; 
xJ [f (3)]  =  0 

will  generate  a  proof  obligation  that  3  /=  f  (3) .  Note  that  it  does  not  matter  that  these  are  really 
the  same  assignments  if  they  are  equal,  the  obligation  will  still  be  generated. 

A  transition  equation  in  the  TRANSITION  section  defines  a  NextVariable  on  the  left-hand  side  in 
terms  of  an  expression  that  can  contain  NextVariable  occurrences.  A  SimpleDefinition  can  occur 
in  the  TRANSITION  section  of  a  transition  system.  An  array  index  expression  on  the  left-hand  side 
must  not  contain  any  state  variables. 

Definitions  :=  { Definition }t 
Definition  :=  SimpleDefinition  \  ForallDefinition 
ForallDefinition  :=  (FORALL  (  VarDecls )  :  Definitions ) 

In  a  transition  system  module,  a  controlled  variable  must  be  defined  exactly  once.  It  is  easy  to 
write  definitions  that  admit  causal  cycles  such  as: 

X  =  NOT  Y; 

Y  =  X 
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Such  causal  loops  can  lead  to  contradictory  or  meaningless  definitions  and  have  to  be  ruled  out. 
One  way  to  avoid  causal  loops  is  by  means  of  an  ordering  on  the  variables  so  that  the  right-hand 
side  of  a  definition  can  contain  only  those  variables  that  are  lower  in  the  ordering.  However,  such 
a  restriction  would  rule  out  natural  definitions  where  variables  can  depend  on  each  other  without 
triggering  a  causal  loop,  for  example 

X  =  IF  A  THEN  NOT  Y  ELSE  C  END IF 

Y  =  IF  A  THEN  B  ELSE  X  END IF 

Here  there  is  no  causal  loop  since  X  depends  on  Y  only  when  A  holds,  and  Y  depends  on  X  only 
when  NOT  A  holds.  A  dependency  analysis  generates  a  Boolean  formula  indicating  the  governing 
conditions  GC(X,  Y)  under  which  a  variable  X  immediately  depends  on  another  variable  Y.  The 
governing  conditions  are  required  to  be  current  expressions.  For  example,  G(7(X,  Y)  for  the  above 
definitions  of  X  yields  A.  If  there  is  no  assignment  defining  X  in  terms  of  Y  then  GC(X,  Y)  is  false. 
Then  GC*(X,  Y)  yields  the  governing  conditions  under  which  a  variable  X  could  indirectly  depend  on 
a  variable  Y.  For  example,  if  X  depends  on  a  variable  Z  that  in  turn  depends  on  Y,  then  GC*(X,  Y) 
is  just  G(7(X,  Y)  V  (GC(X,Z)  A  GC( Z,Y)).  Thus,  in  the  above  definitions  of  X  and  Y,  GC*(X,X) 
is  A  A  -i A.  The  dependency  conditions  can  be  used  to  generate  the  conditions  C%  under  which  a 
variable  X  could  depend  on  itself.  For  such  dependency  loops  to  be  avoided,  the  condition  C%  must 
be  shown  to  be  invariantly  false  in  the  transition  system.  In  the  above  example,  C%  would  be 
the  obviously  unreachable  assertion  A  A  -iA.  The  dependency  analysis  (causality  checks)  generate 
proof  obligations  to  this  effect.  A  similar  dependency  analysis  can  be  carried  out  for  initialization 
definitions  and  transition  definitions. 


4.2  Guarded  Commands 

Definitions  are  convenient  for  specifying  the  values  taken  on  by  those  controlled  variables  whose 
transitions  can  be  independently  specified  in  a  simple  equational  form.  Definitions  have  some 
drawbacks.  For  variables  whose  definitions  follow  a  similar  case  structure,  this  case  structure 
has  to  be  repeated  in  each  of  the  definitions.  For  such  controlled  variables,  it  is  convenient  to 
specify  their  initialization  and  transitions  in  terms  of  guarded  commands.  Each  guarded  command 
consists  of  a  guard  formula  and  an  assignment  part.  The  guard  is  a  boolean  expression  in  the  current 
controlled  (local,  global,  and  output)  variables  and  current  and  next  state  input  variables.  The 
assignment  part  is  a  list  of  equalities  between  a  left-hand  side  next  state  variable  and  a  right-hand 
side  expression  in  current  and  next  state  variables. 

GuardedCommand  :=  Guard  — >  Assignments 
Guard  :=  Expression 
Assignments  :=  {SimpleDefinition}*  [ ;  ] 

Note  that  both  the  initializations  and  transitions  may  be  specified  by  guarded  assignments.  No 
variable  that  is  defined  in  the  Lhs  of  a  definition  can  be  assigned  in  either  a  guarded  initialization  or 
transition.  The  initializations  must  not  contain  next  state  variables,  whereas  the  transitions  must 
have  next  state  variables  on  the  left-hand  side  of  assignments,  and  may  have  next  state  variables 
on  the  right-hand  side.  The  well-formedness  checks  on  the  guarded  transitions  are  that  the  guard 
must  not  contain  controlled  next  state  variables,  i.e. ,  XJ  for  some  controlled  variable  X,  since  these 
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variables  are  only  assigned  values  in  the  assignment  part.  The  assignments  in  the  assignment  part 
must  ensure  that  no  controlled  variable  is  assigned  more  than  once. 

The  causality  checks  and  proof  obligations  corresponding  to  a  guarded  initialization  or  transition 
are  similar  to  those  for  definitions.  The  primary  difference  is  that  current  conjuncts  in  the  guard 
can  be  conjoined  to  the  the  conditions  when  the  proof  obligations  are  generated.  For  example,  if 
there  is  a  guarded  command  of  the  form  g  — >  Assignments  where  the  dependency  analysis  on 
the  combination  of  the  Assignments  and  the  definitions  yields  the  conditions  for  a  causal  loop  on 
variable  X  as  Cx,  then  the  conjunction  g  A  Cx  must  be  shown  to  be  unreachable. 

Note  that  the  initialization  and  transition  sections  may  contain  simple  definitions  and/or  guarded 
commands.  The  model  of  execution  is  that  when  the  module  gets  activated,  one  guarded  transition 
is  chosen  so  that  the  guard  formula  holds  in  the  current  (and  possibly  next  input)  state,  and 
the  transition  is  the  conjunction  of  the  associated  guarded  transition  with  all  the  definitions  of  the 
transition  section(s).  If  no  guard  is  satisfied,  the  module  may  deadlock.  A  synchronously  composed 
system  is  deadlocked  if  any  of  its  component  modules  is.  An  asynchronously  composed  system  is 
only  deadlocked  if  all  its  components  are.  If  you  want  to  ensure  a  given  module  does  not  deadlock, 
just  make  sure  that  there  is  always  some  guard  of  the  module  that  hlods  true  (the  ELSE  clause  is 
useful  for  this). 
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A  module  is  a  self-contained  specification  of  a  transition  system  in  SAL.  Modules  can  be  inde¬ 
pendently  analyzed  for  properties  and  composed  synchronously  or  asynchronously.  Here  is  a  fairly 
simple  module  declaration. 

m  :  MODULE  = 

BEGIN 

INPUT  temp:  INTEGER 
LOCAL  high:  BOOLEAN,  ctr:  NATURAL 
OUTPUT  danger:  BOOLEAN 
DEFINITION  high  =  i  >  100 
INITIALIZATION  ctr  =  0;  danger  =  FALSE 
TRANSITION  [  ctr  >  3  — >  danger J  =  danger  OR  high 
[]  ctr  <=  3  AND  high  — >  ctrJ  =  ctr  +  1 
[]  ELSE  — >  ctr ;  =0 
] 

END 

Here  m  is  a  BaseModule ,  that  is  intended  to  monitor  the  temperature  and  indicate  a  problem  if  the 
temperature  stays  high  for  too  long.  It  declares  the  input  variable  temp,  local  variables  high  and 
ctr,  and  output  variable  danger.  Initially  danger  is  FALSE  and  ctr  is  0,  and  when  this  module  is 
activated  it  sets  danger  to  TRUE  if  temp  exceeds  100  more  than  3  times  in  a  row. 

Once  base  modules  are  declared,  they  may  be  composed  synchronously  or  asynchronously  to  yield 
new  modules.  The  grammar  for  module  expressions  is  given  below.  The  grammars  for  Definitions 
and  GuardedCommand  are  described  in  the  previous  chapter,  but  are  repeated  here  for  convenience. 
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Module  :=  BaseModule 

|  Modulelnstance 
|  Synchronous  Composition 
|  A  synchronous  Composition 
|  MultiSynchronous 
|  Multi  A  synchronous 
|  Hiding 
|  New  Output 
|  Renaming 
j  WithModule 
|  ObserveModule 
(  Module  ) 


BaseModule 
Base  Declarations 
BaseDeclaration 


InputDecl 

OutputDecl 

GlobalDecl 

LocalDecl 

DefDecl 

InitDecl 

TransDecl 


=  BEGIN  BaseDeclarations  END 
=  {BaseDeclaration}* 

=  InputDecl 
|  OutputDecl 
|  GlobalDecl 
|  LocalDecl 
|  De/Ded 
|  InitDecl 
|  TransDecl 
=  INPUT  VarDecls 
=  OUTPUT  VarDecls 
=  GLOBAL  VarDecls 
=  LOCAL  VarDecls 
=  DEFINITION  Definitions 

=  INITIALIZATION  { DefinitionOrCommand }t  [ ;  ] 
=  TRANSITION  { DefinitionOrCommand }t  [ ;  ]’ 


DefinitionOrCommand 

Definitions 
Definition 
ForallDefinition 
SimpleDefinition 
Lhs 
Access 
Array  Access 
Record  Access 
Tuple  Access 
RhsDefmition 
RhsExpression 
RhsSelection 
SomeCommands 
SomeCommand 
NamedCommand 
GuardedCommand 
Guard 
Assignments 
MultiCommand 
ElseCommand 


:=  Definition 

|  [  SomeCommands  ] 

:=  { Definition }t 

:=  SimpleDefinition  \  ForallDefinition 
:=  (FORALL  (  VarDecls )  :  Definitions ) 

:=  L/is  RhsDefmition 
:=  Identifier[  3  ]  {Access}* 

:=  Array  Access  \  RecordAccess  \  TupleAccess 
:=  [  Expression  ] 

:=  .  Identifier 

:=  .  Numeral 

:=  RhsExpression  \  RhsSelection 
:=  =  Expression 

:=  IN  Expression 

:=  {Some  Command} ^  [  []  Else  Command  ] 
:=  NamedCommand  \  MultiCommand 
:=  [  Identifier  :  ]  GuardedCommand 

:=  Guard  — >  Assignments 
:=  Expression 
:=  { SimpleDefinition }*  [  ;  ] 

:=  ( []  (  VarDecls)  :  SomeCommand) 

:=  [  Identifier  :  ]  ELSE  — >  Assignments 
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Modulelnstance 
ModuleName 
QualifiedModuleName 
Synchronous  Composition 
Asynchronous  Composition 
MultiSynchronous 
Multi  A  synchronous 
Hiding 
New  Output 
Renaming 
Renames 
WithModule 
New  VarDecls 
ObserveModule 


{ModuleName  \  QualifiedModuleName}  Name[  [{ Expression }+]  ] 
Name 

QualifiedName 
Module  1 1  Module 
Module  []  Module 

(\  I  (Identifier  :  IndexType):  Module) 

(T]  (Identifier  :  IndexType) :  Module) 

LOCAL  { Identifier }+  IN  Module 
OUTPUT  { Identifier }  j  IN  Module 
RENAME  Renames  IN  Module 
{Lhs  TO  Lhs}+ 

WITH  NewVarDecls  Module 
{InputDecl  \  OutputDecl  \  GlobalDecl }i~ 

OBSERVE  Module  WITH  Module 


5.1  Base  Modules 


A  BaseModule  identifies  the  pairwise  distinct  sets  of  input,  output,  global,  and  local  variables.  This 
characterizes  the  state  of  the  module. 

As  described  below,  base  modules  also  may  consist  of  several  sections.  Note  that  the  grammar 
allows  variables  and  sections  to  be  given  in  any  order,  and  there  may,  for  example,  be  3  distinct 
TRANSITION  sections.  In  every  case,  it  is  the  same  as  if  there  was  a  prescribed  order,  with  each 
class  of  variable  and  section  being  the  union  of  the  individual  declarations. 


DEFINITION  section.  Definitions  appearing  in  the  DEFINITION  section(s)  are  treated  as  invariants 
for  the  system.  When  composed  with  other  modules,  the  definitions  remain  true  even  during 
the  transitions  of  the  other  modules.  For  this  reason,  proof  obligations  may  be  generated  for  a 
composition  where  definition  sections  are  involved.  This  section  is  usually  used  to  define  controlled 
variables  whose  values  ultimately  depend  on  the  inputs,  for  example,  a  boolean  variable  that 
becomes  true  when  the  temperature  goes  above  a  specified  value. 

Definition  sections  must  be  used  with  care,  especially  when  modeling  asynchronous  systems,  as  this 
means  that  in  some  sense  the  execution  of  a  module  on  a  remote  machine  can  still  be  seen  locally. 


INITIALIZATION  section.  The  INITIALIZATION  section(s)  constrain  the  possible  initial  values 
for  the  local,  global,  and  output  declarations.  Input  variables  may  not  be  initialized.  The 
INITIALIZATION  section(s)  determine  a  state  predicate  that  holds  of  the  initial  state  of  the  base 
module. 

Definitions  and  guarded  commands  appearing  in  the  INITIALIZATION  section  must  not  contain 
any  NextVariable  occurrences,  i.e.,  both  sides  of  the  defining  equation  must  be  current  expressions. 
Guards  may  refer  to  any  variables,  this  acts  as  a  form  of  postcondition  when  controlled  variables 
are  involved.  This  is  like  backtracking:  operationally  a  guarded  initialization  is  selected,  the  as¬ 
signments  made,  and  if  the  assignments  violate  the  guard  the  assignments  are  undone  and  a  new 
guarded  initialization  is  selected. 
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TRANSITION  section.  The  TRANSITION  section(s)  constrain  the  possible  next  states  for  the  local, 
global,  and  output  declarations.  As  this  is  generally  defined  relative  to  the  previous  state  of  the 
module,  the  transition  section(s)  determine  a  state  relation.  Input  variables  may  not  appear  on  the 
Lhs  of  any  assignments.  Guards  may  refer  to  any  variables,  even  Next  Variables.  As  with  guarded 
initial  transitions,  guards  involving  NextVariable s  have  to  be  evaluated  after  the  assignments  have 
been  made,  and  if  they  are  false  the  assignments  must  be  undone  and  a  new  guarded  transition 
selected. 


5.2  State  Variable  Manipulation 

Output  and  global  variables  can  be  made  local  by  the  LOCAL  construct.  Global  variables  can  be 
made  output  by  the  OUTPUT  construct.  In  order  to  avoid  name  clashes,  variables  in  a  module  can 
be  renamed  using  the  RENAME  construct.  When  the  renaming  variable  is  an  identifier,  its  type 
can  be  easily  inferred  from  the  renamed  variable.  New  state  variables  used  for  renaming  can  be 
introduced  using  the  WITH  construct  for  INPUT,  OUTPUT,  and  GLOBAL  declarations.  These  newly 
declared  variables  can  be  used  in  the  RENAME  construct  to  rename  the  variables  in  a  given  module. 
The  renaming  should  be  consistent  so  that  the  input  variables  can  be  renamed  only  by  input 
variables,  output  variables  only  by  output  variables,  and  global  variables  only  by  output  or  global 
variables.  The  types  of  the  renamed  and  the  renaming  variable  should  also  match. 


5.3  Module  Composition 


Modules  can  be  combined  by  either  synchronous  or  asynchronous  composition. 

Let  module  Mi  consists  of  input  variables  /^,  output  variables  O^,  global  variables  G^,  and  lo¬ 
cal  variables  Li.  The  module  Mill  M2  and  Mi[]M2  respectively  represent  the  synchronous  and 
asynchronous  composition  of  M\  and  M2. 

Variables  with  the  same  identifier  are  treated  as  identical,  and  it  is  an  error  to  compose  modules 
that  assign  different  types  to  the  same  identifier.  The  syntactic  constraints  on  both  synchronous 
and  asynchronous  composition  are  that  the  output  variable  sets  must  be  disjoint  from  the  global 
and  output  variables  of  the  other  module  (Oi  p|(02  U  Ci^)  =  05  (OilJGi)fj02  =  0),  the  local 
variables  must  be  disjoint  from  the  other  variables  (L  f](I  [j  O  \J  G)  =  0),  but  need  not  be  disjoint 
from  each  other. 

The  input  variables  /,  the  output  variables  O,  global  variables  G,  and  the  local  variables  L  of 
Mi  1 1  M2  and  Mi  []  M2  are  given  by 

I  =  (h{Jl2)-(0{jG) 

O  =  (0!(J02) 

G  —  (G\  P)  G2) 

L  =  (Lx{jL2) 

The  semantics  of  synchronous  composition  is  that  the  module  Mi  1 1  M2  consists  of  initializations  that 
are  the  combination  of  initializations  from  the  two  modules,  and  the  transitions  are  the  combinations 
of  the  individual  transitions  of  the  two  modules.  The  definitions  of  M\  \  |  M2  are  simply  the  union 
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of  the  definitions  in  M\  and  M2.  The  initializations  of  Mil  I  M2  are  the  pairwise  combination  of 
the  initializations  in  Mi  and  M2.  Two  guarded  initializations  are  combined  by  conjoining  the 
guards  and  by  taking  the  union  of  the  assignments.  Let  g\^  — >  a\^  be  an  initialization  from 
Mi  and  g2j  — >  0*2  j  be  an  initialization  from  M2.  The  guard  g\^  might  contain  output  variables 
of  M2,  and  similarly,  guard  g2j  might  contain  output  variables  of  Mi.  For  the  combination  to 
be  sensible,  only  at  most  one  of  these  guards,  say  6/1^,  is  allowed  to  contain  output  variables  of 
the  other  module.  If  we  take  a2j  as  the  union  of  the  assignments  in  <22, j  with  the  initialization 
definitions  of  M2,  then  we  can  repeatedly  apply  a^j  as  a  substitution.  It  should  then  be  the  case 
that  the  repeated  application  a2j*(giii)  converges.  The  combination  of  the  two  initializations  is 
then  a2j*(gili)  A  <72 j  — >  «i The  resulting  combination  might  not  be  sensible  since  the 
conjunction  of  the  guards  could  be  inconsistent.  The  combination  of  the  assignments  <21,2 ;  <22, j 
might  also  be  causally  inconsistent  and  proof  obligations  have  to  be  generated  to  ensure  that  such 
combinations  do  not  occur.  The  dependency  analysis  in  the  case  of  synchronous  composition  is 
similar  to  that  for  a  single  module  with  the  restriction  that  only  cycles  involving  variables  from 
both  modules  need  be  considered. 

The  consistency  and  dependency  analysis  for  combinations  of  guarded  transitions  in  a  synchronous 
composition  is  similar  to  that  for  guarded  initializations.  In  this  manner,  the  synchronous  com¬ 
position  Mi  1 1  M2  of  two  modules  Mi  and  M2  can  be  expressed  as  a  single  module  combining  the 
definitions,  initializations,  and  transitions  from  the  individual  modules.  If  there  are  721  guarded  com¬ 
mands  in  Mi  and  722  in  M2,  the  composition  Mi  1 1  M2  could  have  up  to  721  *  722  guarded  commands. 
Thus  it  is  not  always  feasible  to  expand  out  the  module  corresponding  to  such  a  composition.  The 
expectation  is  that  this  will  rarely  be  necessary  since  the  modules  can  be  individually  analyzed  and 
the  properties  composed. 

The  semantics  of  asynchronous  composition  of  two  modules  is  given  by  the  conjunction  of  the 
initializations  and  the  interleaving  of  the  transitions  of  the  two  modules.  For  this  purpose,  the 
definitions  in  Mi  and  M2  must  first  be  eliminated  by  including  them  in  the  guarded  initializations 
and  transitions.  The  module  corresponding  to  M\  []  M2  is  obtained  by  combining  the  initializations 
as  in  synchronous  composition  and  taking  the  union  of  the  transition  definitions  and  the  guarded 
transitions.  The  combination  of  initializations  can  generate  proof  obligations  but  there  are  no  new 
proof  obligations  arising  from  the  union  of  the  module  transitions. 

The  form  of  composition  in  SAL  supports  a  compositional  analysis  in  the  sense  that  any  module 
properties  expressed  in  linear-time  temporal  logic  or  in  the  more  expressive  universal  fragment  of 
CTL*  are  preserved  through  composition.  A  similar  claim  holds  for  asynchronous  composition  with 
respect  to  stuttering  invariant  properties  where  a  stuttering  step  is  one  where  the  local  and  output 
variables  of  the  module  remain  unchanged. 

The  causality  analysis  for  synchronous  multicompositions  is  carried  out  inductively  by  unfolding 
the  multicomposition  into  a  composition  of  a  single  module  and  a  smaller  multicomposition. 


5.4  Module  Declarations 

It  is  good  pragmatics  to  name  a  module.  This  name  can  be  used  to  index  the  local  variables  so  that 
they  need  not  be  renamed  during  composition.  Also,  the  properties  of  the  module  can  be  indexed 
on  the  name  for  quick  look-up.  Parametric  modules  allow  the  use  of  logical  (state-independent) 
and  type  parameterization  in  the  definition  of  modules.  A  parametric  module  is  defined  as 
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ModuleDeclaration  :=  Identifier[  [VarD eels]  ]  :  MODULE  =  Module 

Parametric  modules  allow  modules  to  be  defined  with  some  open  parameters  that  can  be  instanti¬ 
ated  when  the  module  is  used. 
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SAL  Contexts 


The  language  so  far  can  describe  transition  system  modules  but  has  no  way  of  declaring  new  types 
or  constants  or  asserting  properties  of  these  modules.  The  SAL  context  language  provides  the 
framework  for  declaring  types,  constants,  modules,  and  module  properties.  Below  we  present  the 
syntax  for  contexts  containing  declarations  for  constants,  types,  modules,  assertions,  and  other 
(imported)  contexts.  SAL  contexts  are  read  from  left  to  right,  top  to  bottom,  and  an  entity  must 
be  declared  before  it  is  referenced.1 

There  is  no  name  overloading  in  SAL.  An  unqualified  name  always  refers  to  the  local  context. 
Qualified  names  must  provide  both  the  context  and  the  parameters.  Because  of  this,  explicit 
importings  are  not  needed.2 


Context 

Parameters 

TypeDecls 

ContextBody 

Declarations 

Declaration 


ConstantDeclaration 

TypeDeclaration 

AssertionDeclaration 

AssertionForm 

ContextDeclaration 

ActualParameters 


=  Identifier  [  {Parameters}  }  :  CONTEXT  =  ContextBody 
=  [  TypeDecls ]  ;  {VarDecls}* 

=  { Identifier }  j  :  TYPE 

=  BEGIN  Declarations  END 
=  {Declaration  ;}+ 

=  ConstantDeclaration 
|  TypeDeclaration 
|  AssertionDeclaration 
|  ContextDeclaration 
|  ModuleDeclaration 

=  Identifier  [  (  VarDecls)  }  :  Type  [  =  Expression } 

=  Identifier  :  TYPE  [  =  TypeDef  } 

=  Identifier  :  AssertionForm  =  AssertionExpression 
=  OBLIGATION  | CLAIM  | LEMMA  | THEOREM 
=  Identifier  :  CONTEXT  =  I dentifier{ ActualParameters} 
=  {Type}*  ;  {Expression}* 


^or  those  readers  familiar  with  PVS,  a  SAL  context  is  very  similar  to  a  PVS  theory,  but  with  different  sets  of 
allowable  declarations. 

2 We  are  considering  adding  IMPORTINGs  for  convenience  in  the  concrete  language,  but  the  parser  should  always 
be  able  to  generate  fully  qualified  names  in  the  abstract  syntax.  See  Section  8.2.1 
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6.1  Context  Parameters 

Context  parameters  allow  for  generic  contexts  that  may  be  used  from  other  contexts  with  different 
instances.  Thus  a  context  may  be  parameterized  by  a  positive  integer  N  that  gives  the  number  of 
processes,  and  a  modelchecker  may  instantiate  this  to  6,  in  order  to  make  it  finite. 

Within  the  given  context,  parameter  types  are  treated  as  uninterpreted  types,  and  parameter 
variables  are  treated  as  uninterpreted  constants.  Note  that  distinct  type  parameters  are  treated  as 
distinct  types,  although  they  may  be  instantiated  to  the  same  type. 

6.2  Constant  Declarations 

The  simplest  constant  declaration  provides  an  uninterpreted  constant,  e.g., 

c:  INTEGER 

Note  that  because  all  types  must  be  nonempty,  no  proof  obligation  will  be  generated  for  the 
constant,  though  there  may  be  one  generated  for  the  type. 

Constant  declarations  may  also  provide  a  definition: 

n:  INTEGER  =  3 

f:  [INTEGER  ->  [INTEGER  ->  INTEGER]]  = 

LAMBDA  (x:  INTEGER):  LAMBDA  (y:  INTEGER):  x  +  n  *  y 

A  defining  form  may  be  used,  which  is  usually  more  readable: 

f (x :  INTEGER):  [INTEGER  ->  INTEGER]]  = 

LAMBDA  (y:  INTEGER):  x  +  n  *  y 

Although  higher-order  functions  are  supported,  only  the  top-level  LAMBDA  may  be  turned  into  a 
defining  form.  This  is  not  much  of  an  inconvenience,  since  higher-order  functions  are  not  often 
needed  in  transition  system  specifications. 

Constant  declarations  may  also  be  recursive.  This  is  implicit,  and  the  system  must  be  able  to 
determine  the  measure  in  order  to  generate  the  proper  termination  obligation:3 

fact (n:  NATURAL):  NATURAL  = 

IF  n  =  0  THEN  1  ELSE  n  *  fact(n  -  1) 

6.3  Context  Declarations 

A  ContextDeclaration  provides  an  abbreviation,  e.g.,  instead  of  writing 

lem:  LEMMA  mycontextjint ;  13}!f(3)  =  mycontextjint ;  13}!f(4) 

3 As  discussed  in  Section  8.5,  this  will  probably  change  in  the  future. 
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One  would  write 

me:  CONTEXT  =  mycontextjint ;  13} 
lem:  mc!f(3)  =  mc!f(4) 


6.4  Assertion  Declarations 

Assertion  expressions  allow  properties  to  be  stated.  In  the  simplest  case  these  are  just  boolean¬ 
valued  expressions,  which  are  thus  just  logical  formulas.  The  ModuleModels  form  allows  properties 
of  modules  to  be  stated.  Note  that  the  syntax  says  nothing  about  the  possible  temporal  operators; 
this  is  defined  in  a  separate  context.  A  Modulelmplements  assertion  Me  IMPLEMENTS  Ma,  says 
that  any  possible  behavior  of  Me  is  also  a  behavior  of  Ma •  This  allow  refinement  and  abstraction 
relations  to  be  specified. 


AssertionExpression 
Module  Assertion 
ModuleModels 
Modulelmplements 
Propositional  Assertion 

Quantified  Assertion 
PropOp 


:=  Module  Assertion  \  Propositional  Assertion  \  Quantified  Assertion  \  Expression 
:=  ModuleModels  \  Modulelmplements 
:=  Module  I  -  Expression 
:=  Module  IMPLEMENTS  Module 

:=  PropOp  (  AssertionExpression  ,  AssertionExpression  ) 

|  NOT  (  AssertionExpression  ) 

:=  Quantifier  (  VarDecls  )  :  AssertionExpression 

:=  AND  |  OR  |  =>  |  <=> 
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Chapter  7 


Another  SAL  Example:  Mutual 
Exclusion 


We  show  another  example  SAL  specification:  a  variant  of  Peterson’s  mutual  exclusion  algorithm  [6]. 
Here  the  state  of  the  process  module  consists  of  the  controlled  variables  corresponding  to  its  own 
program  counter  pci  and  boolean  variable  xl,  and  the  observed  variables  are  the  corresponding  pc2 
and  x2  of  the  other  process.  Initially  process  is  sleeping.  The  process  module  is  parameterized 
with  a  boolean  tval  argument. 

The  system  is  then  the  asynchronous  composition  of  two  processes,  where  the  variables  of  the 
process  [TRUE]  have  been  renamed  in  order  to  make  them  compatible  with  process  [FALSE] ,  i.e., 
the  outputs  of  one  are  wired  to  the  inputs  of  the  other. 

The  main  property  of  this  algorithm  is  assertion  mutex,  which  asserts  the  safety  property  that  in 
system,  it  is  always  true  that  the  two  processes  are  not  both  in  their  critical  sections.  The 
assertion  language  used  here  is  LTL.  G  represents  the  henceforth  modality  and  F  represents  eventu¬ 
ally.  Other  properties  are  given,  for  example  livenessbugl  states  the  liveness  property  that  it  is 
always  possible  for  process  [FALSE]  to  reach  its  critical  section.  This  property  is  false,  because 
there  is  no  fairness  built-in  to  SAL,  so  process  [TRUE]  can  simply  run  forever.  The  same  is  true 
for  livenessbug2.  The  other  liveness  properties  bring  in  fairness  constraints  explicitly,  and  are 
provable. 


peterson:  CONTEXT  = 

BEGIN 

PC:  TYPE  =  {sleeping,  trying,  critical}; 

process  [tval  :  BOOLEAN] :  MODULE  = 

BEGIN 

INPUT  pc2  :  PC 
INPUT  x2  :  BOOLEAN 
OUTPUT  pci  :  PC 
OUTPUT  xl  :  BOOLEAN 
INITIALIZATION  pci  =  sleeping 
TRANSITION 
[ 
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wakening : 

pci  =  sleeping  — >  pclJ  =  trying;  xl*  =  x2  =  tval 

[] 

entering.critical : 

pci  =  trying  AND  (pc2  =  sleeping  OR  xl  =  (x2  /=  tval)) 

— >  pclJ  =  critical 

[] 

leaving.critical : 

pci  =  critical  — >  pel*  =  sleeping;  xl’  =  x2  =  tval 

] 

END; 

system:  MODULE  = 
process [FALSE] 

[] 

RENAME  pc2  TO  pci,  pci  TO  pc2, 
x2  TO  xl,  xl  TO  x2 
IN  process [TRUE] ; 

mutex:  THEOREM  system  |-  G(N0T(pcl  =  critical  AND  pc2  =  critical)); 
invalid:  THEOREM  system  |-  G(N0T(pcl  =  trying  AND  pc2  =  critical)); 
livenessbugl :  THEOREM  system  |-  G(F(pcl  =  critical)); 
livenessbug2 :  THEOREM  system  |-  G(F(pc2  =  critical)); 
livenessl:  THEOREM  system  |-  G(pc2  =  trying  =>  F(pc2  =  critical)); 

liveness2:  THEOREM  system  |-  G(pcl  =  trying  =>  F(pcl  =  critical)); 

liveness3:  THEOREM  system  |-  G(F(pcl  =  trying))  =>  G(F(pcl  =  critical)); 

liveness4:  THEOREM  system  |-  G(F(pc2  =  trying))  =>  G(F(pc2  =  critical)); 

END 


Note:  the  assertions  in  the  THEOREMS  are  not  technically  type  correct,  because  the  LTL  operators 
G  and  F  are  not  defined  locally.  They  are  built-in  to  the  SALENV  tools  descibed  in  http:// 
sal.csl.sri.com/salenv.html.  To  make  this  valid  would  require  defining  a  LTL  context,  then 
including  the  context  name  (along  with  the  parameters)  in  the  references  to  G  and  F.  In  addition, 
G  and  F  technically  operate  on  path  formulas,  so  giving  them  a  type  that  allows  them  to  operate 
on  boolean  formulas  is  a  problem.  Sections  8.2.1  and  8.3  address  these  issues. 
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Future  Work 


This  language  manual  and  SAL  itself  are  a  work  in  progress. 

8.1  SAL  as  an  Intermediate  Language 

SAL  was  originally  intended  to  be  an  intermediate  language,  but  as  work  progressed  it  became  clear 
that  many  users  were  going  to  use  the  language  directly,  not  as  an  internal  representation  for  some 
front  end.  In  addition,  the  desire  to  create  a  SAL  tool  bus,  and  to  keep  it  language  independent, 
led  to  the  decision  to  create  an  abstract  syntax  in  XML,  and  treat  that  as  the  intermediate  form. 
XML  was  chosen  because  it  is  widely  used,  extensible,  and  most  popular  programming  languages 
have  direct  support  for  reading  and  representing  XML  datas  structures. 

We  have  thus  defined  an  abstract  syntax  in  XML  by  a  document  type  description  (DTD),  available 
at  http :  //sal .  csl .  sri  .  com/documentation .  html.  The  SAL  parser  (http :  //sal .  csl .  sri  .  com/ 
salparser.html)  simply  reads  the  concrete  syntax  and  generates  an  XML  file  that  satisfies  the 
SAL  DTD.  The  separation  of  the  abstract  and  concrete  syntax  has  many  benefits,  in  that  the 
concrete  language  may  be  extended  in  various  ways  for  convenience,  yet  map  to  a  more  restricted 
set  of  data  structures,  which  means  that  tools  do  not  need  to  be  modified  everytime  something  is 
added  to  the  concrete  language.  In  addition,  users  may  create  their  own  concrete  languages,  as 
long  as  there  is  a  mapping  to  the  SAL  XML  abstract  syntax. 

A  general  rule  followed  by  the  SAL  parser  is  that  any  transformations  done  by  the  parser  in  creating 
the  abstract  structures  must,  in  principle,  be  invertible.  In  other  words,  it  should  be  possible  to 
prettyprint  the  abstract  syntax  and  get  back  the  original  form,  ignoring  whitespace. 


8.2  A  SAL  Prelude 

The  language  described  here  has  many  built-ins,  such  as  INTEGER,  AND,  +,  etc.  In  principle,  these 
could  be  defined  in  a  separate  context,  and  imported.  This  would  make  the  language  cumbersome, 
so  instead  they  were  built-in.  In  our  opinion  a  better  choice  would  be  to  define  these  in  a  prelude, 
that  is  automatically  imported  and  provides  types,  constants,  and  lemmas.  For  example,  various 
logics  such  as  CTL,  CTL*,  and  LTL  can  be  defined  in  the  prelude,  and  even  given  semantics. 
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The  main  advantage  of  a  prelude  is  that  it  separates  the  core  language  from  entities  built  on  the 
core  language.  This  means  that  changes  to  the  language  can  be  kept  to  a  minimum,  while  still 
allowing  new  types  and  constants  to  be  treated  as  if  they  were  built-in.  This  is  simlar  to  the 
separation  of  the  core  language  of  C  from  its  numerous  libraries. 

Any  given  SAL  tool  should  be  able  to  read  the  prelude,  and  build  a  symbol  table,  so  it  should  not 
be  difficult  to  support. 


8.2.1  Libraries,  Importings,  and  Logics 

The  language  defined  here  may  only  refer  to  names  outside  the  context  using  the  fully  qualified 
name.  This  is  helped  somewhat  with  Context  Declarations,  but  if  a  large  hierarchy  is  built  up,  even 
this  will  lead  to  specifications  that  are  difficult  to  write  and  to  read.  In  moving  away  from  the  view 
that  this  is  solely  an  intermediate  language,  we  feel  that  the  addition  of  libraries,  importings,  and 
logics  would  be  useful,  at  least  in  the  concrete  language. 

A  library  is  really  just  an  extension  of  the  idea  of  a  prelude,  and  allows  sets  of  contexts  to  be 
defined  in  a  separate  directory,  and  packaged  for  broad  use  and  distribution,  as  with  PVS  libraries. 

Importing  a  context  instance  allows  the  names  from  that  context  to  be  used  without  a  qualifier. 
There  would  be  restrictions:  name  conflicts  will  not  be  allowed,  even  if  the  entities  are  not  com¬ 
parable.  If  a  referenced  name  has  an  associated  declaration  both  in  the  current  context  and  an 
imported  one,  the  local  one  always  is  used.  If  a  referenced  name  is  common  to  two  separate  contexts 
(including  different  instances  of  the  same  context),  then  it  is  an  error,  and  the  name  must  be  fully 
qualified. 

Importing  a  logic  is  similar,  but  the  idea  here  is  that  a  logic  may  be  parameterized  with  the 
transition  system  defined  by  a  module,  and  many  instances  may  be  needed  for  multiple  module 
expressions.  A  logic  declaration  would  be  similar  to  an  importing,  but  the  information  needed  to 
instantiate  it  is  derived  from  the  module  assertions,  for  example,  a  CTL  context  could  be  defined, 

ctljstate:  TYPE; 

init :  [state  ->  BOOLEAN] , 

trans:  [[state,  state]  ->  BOOLEAN]}  :  CONTEXT  = 


this  can  then  be  used  as  follows: 

LOGIC  ctl 

asafety:  LEMMA  async.bak  |-  AG (NOT  (pci  =  13  AND  pc2  =  13)); 
rather  than  the  error  prone  and  unreadable  expanded  form: 
asafety:  LEMMA 

async.bak  I  -  ctl{async_bak . STATE ; async.bak . INIT , async.bak . TRANS} ! 

AG (NOT  (pci  =  13  AND  pc2  =  13)); 

This  would  address  the  problem  with  the  peterson  specification  described  in  Chapter  7. 
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Note  that  in  principle  a  parser  for  the  concrete  language  can  parse  the  imported  contexts,  produce 
name  conflict  errors,  and  generate  XML  files  that  do  not  have  any  importings.  This  kind  of 
tranformation  means  that  the  abstract  syntax  can  be  kept  minimal,  while  allowing  the  concrete 
syntax  to  be  much  more  convenient  and  readable. 


8.3  Conversions 

The  preceding  section  described  a  CTL  formula.  In  CTL,  AG  is  a  predicate  transformer,  of  type 
[  [STATE  ->  BOOLEAN]  ->  [STATE  ->  BOOLEAN]  ] .  But  of  course  NOT  and  AND  are  BOOLEAN  oper¬ 
ators,  so  there  is  a  mismatch.  PVS  provides  a  mechanism,  called  lambda  conversion ,  that  is  very 
effective  in  lifting  such  operators,  in  this  case  the  result  would  be  as  follows: 

AG (LAMBDA  (s:  STATE):  NOT  (pcl(s)  =  13  AND  pc2(s)  =  13)) 

Of  course,  if  SAL  was  only  intended  for  CTL,  this  could  simply  be  built-in,  but  SAL  is  intended  to 
be  logic- independent.  For  LTL,  the  formulas  are  path  formulas,  not  state  formulas.  In  fact,  LTL 
often  treats  state  formulas  as  path  formulas.  So  a  more  comprehensive  treatment  is  needed,  and 
conversions  look  like  a  reasonable  approach. 


8.4  Empty  Types 

As  discussed  in  the  adder  example  in  Chapter  2,  the  restriction  to  nonempty  types  can  actually  get 
in  the  way  of  succinct  specifications.  In  the  adder  case,  there  is  no  real  problem  with  having  the 
empty  type,  it  simply  means  that  the  onebitadder  is  composed  with  a  module  that  always  skips. 
Thus  in  a  MultiSynchronous  composition  if  the  index  type  is  empty,  the  result  is  a  module  with  no 
state  variables  that  always  skips.  If  it  is  a  Multi  A  synchronous  composition,  the  result  is  an  empty 
module  with  no  transitions  (i.e.,  it  is  deadlocked).  PVS  allows  empty  types,  and  there  is  no  logical 
difficulty.  One  must,  of  course,  be  careful  with  applying  logical  rules,  in  particular  those  involving 
quantifiers.  For  example,  one  can  usually  ignore  quantifiers  whose  bound  variables  do  not  occur 
in  the  underlying  expression,  but  if  empty  types  are  allowed,  this  is  unsound.  Thus  FORALL  (x: 
T)  :  FALSE  could  naively  be  reduced  to  FALSE,  but  if  the  type  T  is  empty  it  is  actually  vacuously 
TRUE.  Also  allowing  a  type  to  be  nonempty  means  that  the  declaration  of  a  constant  may  entail  a 
nonemptiness  obligation  on  the  type. 


8.5  Recursive  Function  Termination 

In  PVS,  recursive  functions  must  include  a  measure,  and  optionally  a  well-founded  ordering.  In 
earlier  discussions  of  SAL  it  was  thought  that  functions  would  be  simple  enough  that  the  typechecker 
would  always  be  able  to  figure  out  the  measure,  but  this  is  clearly  not  true;  even  the  usual  definition 
for  GCD  requires  a  measure  on  the  difference  of  the  arguments,  and  it  is  not  at  all  clear  how  a 
typechecker  would  be  able  to  determine  this.  In  the  future  we  plan  to  allow  a  measure  and  ordering 
to  be  optionall  provided  by  the  user. 
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Future  Work 


8.6  State-Dependent  Types 


Types  in  SAL  are  static,  but  there  are  situations  where  having  a  type  that  depends  on  the  state 
is  more  expressive.  In  effect,  it  means  that  the  type  can  change  as  the  system  progresses.  The 
typechecker  would  generate  proof  obligations  that  in  every  reachable  state  all  state  variables  satisfy 
their  types.  State-dependent  types  might  be  useful,  for  example,  in  modeling  adjustable  arrays, 
where  an  array  may  change  size  dynamically,  but  it  is  preferable  to  prove  that  a  runtime  arrays- 
bound  check  is  not  necessary. 
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Abstract.  Most  of  the  properties  established  during  verification  are  ei¬ 
ther  invariants  or  depend  crucially  on  invariants.  The  effectiveness  of  au¬ 
tomated  formal  verification  is  therefore  sensitive  to  the  ease  with  which 
invariants,  even  trivial  ones,  can  be  automatically  deduced.  While  the 
strongest  invariant  can  be  defined  as  the  least  fixed  point  of  the  strongest 
post-condition  of  a  transition  system  starting  with  the  set  of  initial  states, 
this  symbolic  computation  rarely  converges.  We  present  a  method  for 
invariant  generation  and  strengthening  that  relies  on  the  simultaneous 
construction  of  least  and  greatest  fixed  points,  restricted  widening  and 
narrowing,  and  quantifier  elimination.  The  effectiveness  of  the  method  is 
demonstrated  on  a  number  of  examples. 


1  Introduction 

The  majority  of  properties  established  during  the  verification  of  programs  are 
either  invariants  or  depend  crucially  on  invariants.  Indeed,  safety  properties  can 
be  reduced  to  invariant  properties,  and  to  prove  progress  one  usually  needs  to 
establish  auxiliary  invariance  properties  too.  Consequently,  the  discovery  and 
strengthening  of  invariants  is  a  central  technique  in  the  analysis  and  verification 
of  both  sequential  programs  and  reactive  systems,  especially  for  infinite  state 
systems. 

Consider,  for  example,  a  program  with  state  variables  pc  and  x.  The  program 
counter  pc  is  interpreted  over  the  control  locations  inc  and  dec ,  and  x  is  inter¬ 
preted  over  the  integers.  Initially,  the  program  counter  pc  is  set  to  inc  and  x  to 
0.  The  dynamics  of  the  system  is  described  in  terms  of  the  guarded  commands: 

pc  =  inc  i — >  x  :=  x  +  2;  pc  :=  dec 
pc  =  dec  A  x  >  0  i — >  x  :=  x  —  2;  pc£{mc,  dec} 

Suppose  we  are  interested  in  establishing  the  invariant  pc  =  inc  — >•  x  =  0.  A 
naive  proof  attempt  fails,  and  consequently,  the  invariant  needs  to  be  strength¬ 
ened  to  an  inductive  invariant  {pc  =  inc  — >  x  =  0)  A  {pc  =  dec  — >  x  =  2).  Such 

*  The  research  described  in  this  paper  was  supported  in  part  by  NSF  contract  CCR- 
9712383  and  DARPA/AFRL  contract  F33615-00-C-3043. 
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strengthenings  are  typically  needed  in  induction  proofs.  In  general,  the  main 
principle  for  proving  that  a  predicate  p  is  an  invariant  of  some  program  or  sys¬ 
tem  S,  consists  in  finding  an  auxiliary  predicate  pj  such  that  pj  is  stronger  than 
p  and  ip  is  inductive;  i.e. ,  every  initial  state  of  S  satisfies  pj,  and  pj  is  preserved 
under  all  transitions.  This  rule  is  sound  and  (relatively)  complete.  On  the  other 
hand,  finding  a  strengthening  pj  is  not  always  obvious,  and  usually  requires  a 
microscopic  examination  of  failed  verification  attempts. 

Most  approaches  for  generating  and  strengthening  invariants  are  based  on 
symbolic  computation  of  the  system  at  hand  [4,10,15].  The  bottom-up  method 
performs  an  abstract  forward  propagation  to  compute  the  set  of  all  reachable 
configurations,  while  the  top-down  method  starts  from  an  invariant  candidate 
p  and  performs  an  abstract  backward  propagation  to  compute  a  strengthened 
invariant  ip.  There  is,  however,  no  guarantee  for  success  in  exact  forward  or 
backward  propagation.  This  may  be  due  either  to  infinite  or  unmanageably  large 
configuration  spaces  or  to  the  failure  to  detect  convergence  of  the  propagation 
methods  altogether.  Consequently,  approximation  techniques  such  as  widening 
or  narrowing  [8]  are  needed  to  enforce  termination  of  symbolic  computation.  The 
basic  idea  is  to  accelerate  the  convergence  of  symbolic  computations  in  infinite 
abstract  domains. 

The  framework  of  abstract  interpretation  with  widening  and  narrowing  as 
outlined  in  [8],  however,  is  not  immediately  applicable  to  the  discovery  and 
strengthening  of  inductive  invariants,  since  not  every  over- approximation  of  an 
inductive  invariant  is  necessarily  an  inductive  invariant.  Our  main  contribu¬ 
tions  are:  first,  we  provide  an  abstract  description  of  the  process  of  inductive 
invariant  generation  and  strengthening  based  on  computing  under-  and  over¬ 
approximations  of  the  reachable  state  set;  second,  this  framework  is  instantiated 
with  a  novel  technique  based  on  combining  concrete  widening  and  narrowing 
operators.  Our  techniques  can  uniformly  be  used  on  a  wide  class  of  examples  in¬ 
cluding  transition  systems  where  both  forward  and  backward  propagation  do  not 
converge.  We  demonstrate  the  effectiveness  of  our  approach  through  a  variety  of 
examples. 

Our  algorithm  is  based  on  the  symbolic  computation  of  a  sequence  of  under¬ 
and  over- approximations  of  the  reachable  state  set.  These  computations  rely 
heavily  on  the  elimination  of  quantifiers  in  the  underlying  theory.  Quantifier 
elimination,  however,  is  not  required  to  return  equivalent  formulas,  since  our  al¬ 
gorithm  tolerates  weakened  quantifier-eliminated  formulas.  Whenever  the  com¬ 
putation  of  the  sequence  of  under- approximations  terminates,  we  get  an  in¬ 
ductive  invariant.  Moreover,  since  every  element  in  the  sequence  of  decreasing 
over- approximations  is  an  inductive  invariant,  our  algorithm  can  be  stopped 
at  any  time  and  it  outputs  the  best  (strongest)  inductive  invariant  computed 
up  to  this  point.  In  the  example  above,  our  procedure  yields  the  invariant 
(pc  =  inc  — >•  x  =  0)  A  {pc  =  dec  — »  x  =  2).1 


1  This  example  can  also  be  handled  by  some  other  invariant  generation  techniques 
based  on  forward  reachability  or  abstraction  [3,17]. 
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The  approach  faces  two  problems.  First,  the  computation  of  the  sequence  of 
under-approximations  usually  does  not  terminate.  Second,  the  computation  of 
the  sequence  of  over- approximations  terminates  with  very  weak  invariants,  in 
practice.  For  instance,  forward  reachability  does  not  converge  in  case  the  initial 
value  for  x  is  unspecified  in  the  example  above.  In  order  to  overcome  these  prob¬ 
lems  we  add  specialized  widening  and  narrowing  operators  to  our  algorithm.  One 
of  the  distinguishing  features  of  our  algorithm  is  the  use  of  unreachable  configu¬ 
rations  for  detecting  unreachable  strongly  connected  components  and  computing 
corresponding  narrowing  operators.  In  this  way,  our  algorithm  terminates  with 
the  invariant  x  >  —  2  in  case  the  initial  value  for  x  is  unspecified  in  our  running 
example. 

The  paper  is  structured  as  follows.  In  Section  2  we  introduce  notation  and 
definitions,  Section  3  presents  the  theoretical  framework  that  is  used  in  Section  4 
to  obtain  a  procedure  for  generating  invariants  using  affirmation  and  propagation 
rules  along  with  widening  and  narrowing.  Finally,  we  conclude  in  Section  5  with  a 
short  investigation  of  the  relationship  between  invariant  generation  and  abstract 
interpretation,  and  comparisons  with  related  work. 

2  Preliminaries 

Let  E  be  a  first-order  language  containing  interpreted  symbols  for  standard 
concrete  domains  like  booleans,  integers  and  reals.  Let  5ft  denote  the  (first-order) 
theory  of  interest  over  the  language  E.  We  fix  the  set  V  =  {xi,...,xn}  of 
(typed)  variables  and  denote  by  T  the  set  of  first-order  formulas  over  E  with 
free  variables  contained  in  the  set  V.  A  transition  system  S  is  a  tuple  (V,  ©,#), 
where  0  E  T  and  ^  is  a  first-order  formula  over  E  with  free  variables  contained 
in  the  set  VU  V',  where  V'  =  { x[ , . . .  ,x'n}.  The  formula  0  is  called  the  initial 
predicate  and  the  formula  ^  a  transition  predicate  of  the  system  S.  We  shall 
denote  the  sequence  aq, . . . ,  xn  by  x  and  the  sequence  x[, . . . ,  x'n  by  xf . 

A  state  a  of  a  transition  system  S  =  (V,  0,  $)  is  a  mapping  from  V  to  values 
from  the  corresponding  domains.  If  p  is  a  state,  we  denote  by  p'  the  mapping 
obtained  by  renaming  variables  aq  to  x\  in  p.  A  formula  (j){x)  is  interpreted  as  the 
set  |[</>(x)]|  of  all  states  a  such  that  5ft,  a  |=  4>(x).  We  define  the  set  Reach(d>)(0) 
of  states  reachable  from  the  states  represented  by  0  via  the  transition  predicate 
^  as  the  smallest  set  such  that  (i)  [0]  C  Reach(d>)(0)  and  (ii)  the  state  a  E 
Reach{d?)(0)  whenever  5ft,  p,  o'  |=  $(x,x')  for  some  p  E  Reach(d?)(0).  Since 
the  theory  5ft  is  fixed,  we  shall  not  mention  it  explicitly  when  we  talk  about 
satisfiability  and  validity  in  5ft.  Thus,  validity  in  5ft  is  denoted  by  |=. 

A  formula  transformer  F  is  a  function  mapping  formulas  to  formulas.  The 
strongest  postcondition  transformer,  denoted  by  SP(^),  is  defined  as  SP(&)(<fi(x))  = 
3y.(<h(y,  x)  A<fr(y)).  The  formula  SP(&)(<fi(x))  denotes  the  set  of  states  reachable 
in  one  step  from  the  set  of  states  represented  by  Similarly,  the  weakest  pre¬ 
condition  transformer,  WP(^),  is  defined  as  WP ($)((j)(x))  =  Vy.($(x,y)  — >•  4>(y)). 

A  fixed  point  of  a  formula  transformer  r  is  a  formula  (j)  such  that  |=  T(</>)  «-»•  (j). 

A  formula  transformer  r  is  monotonic  if  |=  T(</>)  — >  r(if)  whenever  |=  <f>  — >  ip.  A 
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least  fixed  point  of  T,  denoted  by  yip. r  (ip),  is  a  fixed  point  p  such  that  for  any 
other  fixed  point  ip  of  T,  it  is  the  case  that  |=  (p  — >•  ip).  A  greatest  fixed  point  of  T, 
denoted  by  vip.r(ip),  is  a  fixed  point  p  such  that  for  any  other  fixed  point  ip  of  T, 
it  is  the  case  that  |=  (ip  p).  Whenever  the  transition  system  (V,  0,  is  clear 
from  the  context,  we  define  the  transformer  X  by  X(p)  =  SP($)(p)  V0.  Note  that 
the  transformer  X  is  monotonic.  The  least  fixed  point  of  this  operator,  fmp.X (ip), 
whenever  it  exists  in  the  first-order  language,  represents  the  set  Reach(X>)(0)  of 
reachable  states. 


2.1  Invariants 

A  formula  (p  is  an  S-invariant  if  Reach(X>)(&)  C  \[p]\.  Thus,  an  invariant  describes 
an  over- approximation  of  the  set  of  reachable  states.  An  S-inductive  invariant 
is  a  formula  p  such  that  (i)  p  is  an  S-invariant,  and  (ii)  p  is  inductive,  i.e., 
|=  SP(^)(p)  — >•  (p .  Condition  (ii)  can  be  equivalently  stated  as  |=  p  — >•  WP(^)  (</>). 
In  other  words,  p  is  an  S-inductive  invariant  if  |=  X(p)  — >•  p.  Note  that  the 
definition  does  not  require  an  equivalence,  but  only  an  implication. 

It  is  easy  to  establish  that  the  set  of  reachable  states  Reach(X>)(0)  of  a  system 
S  represents  the  strongest  (inductive)  invariant.  By  this  we  mean  that  if  ip  is 
any  other  (inductive)  invariant,  then,  Reach  (S)(0)  C  \[ip]\.  However,  note  that  if 
p  is  an  inductive  invariant,  and  |=  (p  — >•  ip),  then  ip  need  not  be  an  inductive 
invariant  because  ip  might  violate  condition  (ii).  For  purposes  of  this  paper,  we 
will  only  be  interested  in  inductive  invariants.  Thus,  we  are  not  interested  in  just 
obtaining  any  over- approximation  of  the  set  of  reachable  states,  but  only  those 
that  also  satisfy  condition  (ii).  This  is  because  the  inductive  property  provides 
a  sufficient  local  characterization  of  invariance  property,  which  makes  the  task 
of  proving  easier. 

Given  a  transition  system  S  =  (V,0,^),  the  converse  transition  system 
S-1  =  (V,0,^_1)  is  defined  by  <L>~1(x,y)  =  $(y,x).  The  following  well-known 
theorem  says  that  if  none  of  the  initial  states  is  backward  reachable  from  the 
states  represented  by  p ,  then  ^p  is  an  invariant. 

Theorem  1.  Let  S  =  (V,  0,#)  be  a  transition  system  and  p  an  arbitrary  for¬ 
mula.  If  ip  is  such  that  |=  (SP(#_1)(t/>)  V  p)  — >•  ip  and  the  formula  0  A  ip  is 
unsatisfiable ,  then  -op  is  an  S-inductive  invariant. 

Corollary  1.  If  Reach (X>~1)(p)  D  [0]  =  0,  then  the  formula  corresponding  to 
the  complement  of  the  set  Reach  (X>~1)(p)  is  an  S-inductive  invariant. 

We  remark  here  that  although  application  of  the  SP(^)  transformer  is  called 
“forward  propagation”,  the  term  “backward  propagation”  is  typically  used  for 
the  transformer  WP(^).  But  there  is  no  anomaly  here  as  the  transformers  SP(^-1) 
and  WP(^)  are  duals  in  the  sense  that  SP(^-1  )(</>)  is  logically  equivalent  to 
— 'WP(^) (— 1  p).  Hence,  Theorem  1  can  be  stated  in  terms  of  WP(^).  It  also  follows 
that  if  formula  p  is  an  invariant,  then  the  formula  vp.p  A  WP(#)(t/>)  is  an  induc- 
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tive  invariant  that  is  a  strengthening  of  p2 .  Similarly,  it  is  easy  to  see  that  there 
is  a  corresponding  connection  between  the  SP(^)  and  WP(^-1)  transformers. 

3  Inductive  Invariant  Generation 

In  this  section,  we  discuss  the  problem  of  automatically  generating  some  useful 
inductive  invariants  for  a  given  transition  system.  It  is  a  simple  observation  that 
the  greatest  fixed  point  vp.T(p),  whenever  it  exists,  is  an  S-inductive  invariant. 

Lemma  1.  Let  S  =  (V,0,^)  be  a  transition  system.  Recursively  define  the 
sequence  of  formulas  po,Pu  -  •  as  follows. 

Po  =  true  pi+1  =  SP(#)(0i)  V  0 

Then ,  every  formula  pi  is  an  S-inductive  invariant.  Furthermore,  every  formula 
pi  in  the  above  sequence  can  be  decomposed  as  ^  V  Xi,  where 

Po  =  false  pi+1  =  SP (@)('ipi)  V  0 

Xo  =  true  Xi+i  =  SP  (#)(Xi)- 

The  sequence  ipo ,  pi , . . . ,  represents  iterations  in  a  least  fixed  point  computa¬ 
tion  of  the  X  transformer.  The  sequence  xo,  Xu  •  •  •  ?  represents  the  greatest  fixed 
point  component.  The  formulas  pi  provide  successive  under- approximations  of 
the  set  Reach ($)(&)  of  reachable  states.  The  formulas  pi  are  inductive  over¬ 
approximations.  The  sequence  p$,pi, . . . ,  usually  does  not  terminate,  whereas 
the  sequence  po,  pi, . . . ,  often  terminates  with  very  weak  invariants. 

It  should  be  observed  here  that  the  greatest  fixed  point  of  the  SP (#)(_)  V  0 
transformer  characterizes  states  a  such  that  there  exists  a  backward  path  starting 
from  a  which  is  either  infinite,  or  contains  some  initial  state.  In  case  of  finite 
state  transition  systems,  this  is  exactly  the  set  of  states  that  either  belong  to 
a  strongly  connected  component,  or,  that  are  reachable  from  either  some  initial 
state  or  some  strongly  connected  component.  Hence,  the  greatest  fixed  point 
may  not  be  the  strongest  S-inductive  invariant  even  in  the  case  of  finite  systems. 
Despite  its  shortcomings,  this  simple  method  is  attractive  since  (i)  we  do  not 
need  to  detect  that  the  iterations  have  converged3,  and  (ii)  every  formula  pi  is 
an  S-inductive  invariant.  Detecting  convergence  is  difficult  as  it  involves  deciding 
if  |=  pi  pi+i. 


Example  1.  Consider  the  transition  system  over  ten  states  presented  in  Figure  1. 

2  It  follows  from  this  duality  that  the  the  least  (greatest)  fixed  point  iterations  of 
SP(^-1)  V  p  are  logically  equivalent  to  the  negations  of  the  greatest  (least)  fixed 
point  iterations  of  WP(<£)  A  -ip. 

3  If  p  is  an  S'-invariant,  then  every  iteration  in  the  greatest  fixed  point  computation 
of  WP (#)(_)  A  p  is  also  an  S'-invariant.  But,  if  p  is  inductive,  then  this  method  yields 

P- 
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States  are  represented  by  nodes  with  inte¬ 
ger  labels  and  transitions  are  represented 
by  edges.  State  1  is  the  initial  state. 
Clearly,  the  set  of  reachable  states  is  the 
set 

{1,2, 3, 4}. 

The  greatest  fixed  point  of  the  SP(<f>)  V  0 
is  the  set  consisting  of  states 

{1,2,  3, 4,  5, 6,  7,  8,  9}. 


Fig.  1.  A  finite  state  transition  system. 


3.1  Widening  and  Narrowing 

In  the  case  when  the  state  space  is  either  infinite,  or  finite  but  too  large,  the 
symbolic  computation  of  (greatest  or  least)  fixed  points  of  various  transformers  is 
restricted  by  the  finite  space  and  time  resources  available.  A  well-known  solution 
to  this  problem  is  the  use  of  widening  and  narrowing  to  respectively  enhance  the 
least  and  greatest  fixed  point  computation  (with  gains  obtained  both  in  terms 
of  space  and  time). 

A  widening  operator  :  J7  x  J7  \-^  J7  is  &  function  such  that  for  all  formulas 
0,  0'  G  T |=  (0  V  0')  -A  v(05  00-  Similarly,  a  narrowing  operator  A  :  T  x  T  h-»>  T 
is  a  function  such  that  for  all  formulas  0,  0'  G  T ,  |=  A(0,  0')  -A  (0  A  0').  Thus, 
logical  disjunction  V  is  a  trivial  widening  operator,  and  logical  conjunction  A  is 
a  trivial  narrowing  operator. 

The  definitions  of  widening  and  narrowing  are  slightly  different  from  the 
standard  ones  [8,9].  First,  we  do  not  include  any  conditions  to  guarantee  that 
increasing  (decreasing)  sequences  are  transformed  to  finite,  hence  converging, 
increasing  (decreasing)  sequences  by  widening  (narrowing) .  Secondly,  in  the  case 
of  narrowing,  the  standard  definition  requires  that  whenever  0'  — >•  0,  the  formula 
A (0,  0')  is  such  that  0'  — >•  A (0,  0')  and  A (0,  0')  — >•  0.  In  our  definition,  A (0,  0') 
is  stronger  than  both  0  and  0'  as  our  interest  is  in  the  use  of  narrowing  to  obtain 
under- approximations  of  the  greatest  fixed  point.  But  we  have  to  be  careful  so  as 
to  not  eliminate  any  reachable  states  by  overly  aggressive  under- approximation, 
see  Lemma  3. 

A  particularly  simple  narrowing  operator,  denoted  by  A(0),  is  defined  by 
A  (0)(0,  0')  =  0  A  0'  A  0,  where  0  is  an  arbitrary  formula.  Similarly,  we  can 
define  vWO(0>  00  —  0  V  0'  V  0.  Since  we  are  interested  in  generating  inductive 
invariants,  it  turns  out  that  in  order  to  guarantee  correctness,  we  can  use  any 
arbitrary  widening  operator,  but  not  any  narrowing  operator. 

Lemma  2.  [Upward  iteration  sequence  with  widening]  Let  0Oj0ij  •  •  •  ,  be  a  se¬ 
quence  of  formulas  such  that  0o  is  0 ,  and  for  every  i  >  0,  either 

(i)  0*  is  SP(#)(0i_i)  V  0i_ u  or 

(ii)  ipi  is  v(^i)(0i-2, 0i-i);  where  ai  is  any  arbitrary  formula. 
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Then ,  if  for  some  n  >  0,  |=  SP (^)(^n)  — >•  pjn,  then  the  formula  p)n  is  an  S- 
inductive  invariant. 

Lemma  3.  [Downward  iteration  sequence  with  narrowing]  Let  </>0,  (pi, . . . ,  be  a 
sequence  of  formulas  such  that  <po  is  true ,  and  for  every  i  >  0,  either 

(i)  &  is  SP(<£)0;_i)  V  O,  or 

(ii)  (pi  is  A(/3i)(<pi-2,  (pi-i),  where  Pi  is  some  S-inductive  invariant. 

Then ,  for  every  i,  <pi  is  an  S-inductive  invariant 4  such  that  |=  <pi  — »•  Pi. 

Lemma  3  extends  the  greatest  fixed  point  iterations  in  Lemma  1  by  a  nar¬ 
rowing  operator.  Similarly,  Lemma  2  extends  the  least  fixed  point  computation 
that  is  hidden  inside  the  iterations  in  Lemma  1  by  a  widening  operator. 

We  obtain  the  formula  Pi  used  in  Lemma  3  by  identifying  strongly  connected 
components  consisting  of  unreachable  states.  This  is  achieved  using  backward 
propagation  from  an  unreachable  state,  as  outlined  in  Theorem  1.  These  un¬ 
reachable  states  are  not  automatically  eliminated  by  the  greatest  fixed  point 
computation  outlined  in  Lemma  1.  Furthermore,  an  S-inductive  invariant  ob¬ 
tained  using  Lemma  2  can  be  used  in  Step  (ii)  of  Lemma  3.  Thus,  Lemma  3 
gives  a  method  for  systematically  strengthening  known  invariants. 

Example  2.  Following  up  on  Example  1,  let  N  =  {1,2, ...,10}  denote  the  set 
of  all  states.  In  order  to  strengthen  the  over- approximation,  viz.  N  —  {10},  of 
the  set  of  reachable  states  obtained  via  the  greatest  fixed  point  computation,  we 
can  try  removing  certain  states.  But  if  we  remove  a  subset  of  states  that  is  not 
strongly  connected,  the  subsequent  fixed  point  computation  may  no  longer  be 
monotonic,  and  could  fail  to  converge. 

For  instance,  removing  state  5  from  the  above  set  gives  a  new  set  Ni  = 
N  —  {5,10}.  Now,  SP(^)(0j/v1)  V  0,  where  is  the  characteristic  predicate 
of  Ni,  represents  the  set  N2  =  N  —  {6, 10}.  Clearly,  N2  £  Ni,  and  hence  the 
sequence  of  formulas  obtained  in  the  greatest  fixed  point  computation  is  no 
longer  monotonic.  Note  that  all  formulas  in  the  sequence  are  invariants,  but 
they  are  not  inductive. 

In  order  to  identify  unreachable  states,  we  note  that  if  we  start  with  the 
set  7V3  =  {7,8},  and  we  assign  <p  in  Theorem  1  to  the  characteristic  predicate 
p n3  of  N3.  The  least  fixed  point  of  SP(^-1)  V  Pn3  represents  the  set  N 4  = 
{5,6,7,8,9,10}.  Now,  since  the  formula  0  A  Pna  is  unsatisfiable  (i.e.  the  set 
{l}fW4  =  0),  it  follows  from  Theorem  1  that  the  set  =  {1,  2,  3, 4}  represented 
by  _i0a^4  is  an  S-inductive  invariant. 

4  An  Any-time  Algorithm  for  Generating  Inductive 
Invariants 

The  transition  predicate  of  a  transition  system  S  =  (V  =  {aq, . . . ,  xn},  0, 
is  typically  specified  using  a  finite  set  of  guarded  transitions ,  where  a  guarded 

4  Note  that  the  lemma  also  holds  if  we  drop  the  word  “inductive”  from  the  statement. 
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transition  consists  of  a  guard  7  G  f ,  and  a  finite  set  of  assignments  {x\  := 
ei(x),  ...,xn  :=  en{x)}.  A  guarded  transition  r  is  written  as 

71 — >  X1  :=  ^i(x);  :=  en(x) 

where  e*  is  some  expression  with  free  variables  in  the  set  x.  We  shall  also  use 
the  compact  notation  x  :=  e(x)  to  represent  the  above  assignments. 

A  typical  specification  of  a  guarded  transition  system  contains  at  least  one 
control  variable,  usually  the  program  counter  pc  E  {x\ ,  ...,xn},  which  takes 
values  from  a  finite  set,  say  {1, . . .  ,p}.  Control  states  are  defined  by  formulas 
of  the  form  pc  =  i,  i  E  {1, . . .  ,p}.  This  transition  system  then  has  p  different 
control  states.  Additionally,  we  assume  that  the  source  states  of  each  guarded 
transition  belong  to  some  fixed  source  control  state,  pc  =  i,  (and  similarly  for 
the  target  states)  so  that  each  transition  r  can  be  written  as 

pc  —  i  A  7  1 — >  x  :=  e(x);  pc  :=  j 

where  x  denotes  variables  in  V  —  {pc}.  In  this  case,  we  define  src(r )  =  i  and 
tgt(r)  =  j.  By  <Lr(x,x'),  we  denote  the  formula  j(x)  A  x’  —  e(x).  If  T  is 
a  set  of  such  transitions,  then  the  transition  predicate  ^  is  itself  defined  by 
\Jrel-pc  =  src(r)  A  pc'  =  tgt(r)  A  ^r.  Similarly,  we  assume  that  |=  0  — >  pc  =  1. 

Whenever  such  a  decomposition  of  the  state  space  into  finitely  many  control 
states  is  available  such  that  every  transition  has  a  unique  source  and  target  con¬ 
trol  state,  the  S-invariant  can  be  maintained  as  a  conjunction  of  local  invariants 
indexed  by  the  control  locations.  We  assume  that  every  formula  is  represented 
as  an  array  of  formulas  indexed  by  integers  {1, . . .  ,p}.  Given  an  S-inductive  in¬ 
variant  Lp  (as  an  array  of  formulas),  and  a  transition  predicate  <L>,  the  function 
propagation (0,  ip,  k)  returns  the  strengthened  S-inductive  invariant  Tk{p). 

function  propagation (0,  ip,  k)  { 

let  0  be  pc  =  1  A  & ; 

for  k  iterations  do:  for  every  i  in  parallel  do  { 

%  :=  {r  e  T  :  tgt(r)  =  i}; 

,_m  f  V rG71  SP(#r)(^[src(r)])  V  0'  if  *  =  1 1 

J  l  VreK  SP(<PT)(<p[src(r)l)  H  i  /  1  J  ’ 

ip[i\  :=  5ft-simplify((^[i]) ; 

} 

return (p) ; 

} 

The  function  5ft-simplify  performs  quantifier-elimination  and  simplification  in 
the  theory  5ft  and  is  described  in  Section  4.2. 

Lemma  4.  Let  S  =  (V,  0,#)  be  a  transition  system  and  let  cpo  be  an  array  of 
formulas  initialized  to  true.  Let  pu  denotes  the  array  propagation (0,^,(^o,&) 
of  formulas  (assuming  5ft-simplify  always  returns  equivalent  formulas),  and  <fk 
be  as  defined  in  Lemma  1.  Then,  for  all  k  >  0,  |=  <fk  ++  Af=i (Pc  =  ^  Tk[i\)- 
Consequently,  the  formula  Af=i (Pc  =  i  —> ►  Tk[i\)  is  an  S-inductive  invariant,  for 
every  k. 
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Notice  that  the  formula  Af=i(Pc  =  *  18  equivalent  to  the  formula 

Vf=i (p°  =  2  A  (^[i])  under  the  assumption  that  Vf=i(Pc  =  *)•  The  computa¬ 
tions  outlined  in  other  lemmas  and  theorems  can  be  suitably  cast  in  terms  of 
local  invariants  at  control  locations. 


4.1  Combining  SP(^)  and  SP(^  *)  iterations 

The  basic  algorithm  for  the  automatic  generation  of  inductive  invariants  con¬ 
sists  of  affirmation  and  propagation  steps — the  essence  of  which  is  captured  in 
Lemma  1  and  function  propagation.  In  order  to  get  stronger  invariants,  we 
propose  the  use  of  narrowing  and  widening. 

The  function  widening  ($,  ip,  k)  starts  with  a  given  under-approximation  $ 
of  the  set  of  reachable  states,  and  widens  it  using  a  subformula  a  of  the  over¬ 
approximation  (p.  If  this  widening  yields  an  S-inductive  invariant  (see  Lemma  2) 
in  k  propagation  steps,  then  the  function  returns  this  invariant,  otherwise  it  just 
returns  true5. 

function  widening ($,  cp,  k)  { 

X  := 

choose  j  G  {1  ,...,p}  and  a  formula  a  s.t. 

p[j]  is  of  the  form  p'Va,  and  $[j]  A  a  is  satisfiable; 

X[j]  :=  X[j]  V  a;  /*  widening  */ 

X  :=  propagation^,  #,x,  AO  ; 

if  (|=  propagation(@,  x,  l)[i]  — >•  xH  for  all  i) 

return (x)  ;  /*  new  invariant  */ 

return (true) ; 

} 

Lemma  5.  For  any  value  of  the  constant  k ,  if  x  denotes  the  array  of  formulas 
returned  by  widening  ($,  p,  k) ,  then  the  formula  /\^=1  Pc  =  i  —> ►  xH  * s  an  S- 
inductive  invariant. 

Strongly  connected  components  of  unreachable  states  are  detected  using 
backward  propagation,  and  if  successful,  this  information  is  used  for  strengthen¬ 
ing  the  current  invariant.  The  subroutine  narrowing($,  p,  k)  chooses  a  subfor¬ 
mula  /3  of  the  over-approximation  p  which  could  possibly  represent  unreachable 
states.  Thereafter,  it  computes  the  set  of  states  that  are  backward  reachable  from 
the  conjectured  unreachable  states  /3  and  if  we  successfully  terminate  without 
intersecting  0  (see  Theorem  1),  then  we  again  have  an  S-inductive  invariant. 

function  narrowing ($, p, k)  { 

choose  jG{l,...,p}  and  a  formula  /?  s.t. 

p\j]  is  of  the  form  p' V  f3 ,  and  $[j]  A  f3  is  unsatisf  iable ; 

X  :=  propagation(pc  =  j  A  /?,  ^-1,  f  alse,  k)  ; 

5  We  shall  overload  true  (false)  to  also  denote  arrays  in  which  every  element  is  true 
(false),  and  use  assignments  between  arrays  to  mean  element-wise  copying. 
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if  (|=propagation(pc  =  j  A^,<£  1,X,  1)  [*]->■  X[i]  for  a11  O 
if  (|=  “'(xA6>)) 

return ( Invariant  (-i^)  )  > 

else  if  (x  A  0  is  satisfiable)  /*  /?  is  reachable  */ 

return  (Reachable  (pc  =  j  A  /?))  ; 
return (Invariant (true)  )  ; 


The  return  value  Reachable  (t/O  of  the  function  narrowing  ($,  <p,  &)  says  that 
the  states  represented  by  are  reachable,  and  the  return  value  Invariant  (?/)) 
denotes  that  the  formula  represented  by  is  an  inductive  invariant. 

Lemma  6.  For  any  value  of  the  constant  k ,  if  the  function  narrowing ($,  ip,  k ) 
returns  Reachable (-0) ,  then  \[ip]\  C  Reach{d?){&) .  Similarly,  for  any  value  of 
the  constant  k,  if  narrowing  ($,  ip,  k)  returns  Invariant  (-0) ,  then  the  formula 
Af=i  (Pc  ~  i  *  V’H)  is  an  S-inductive  invariant. 

Finally,  we  outline  a  procedure  that  uses  the  various  functions  described 
above  by  combining  the  least  fixed  point  and  greatest  fixed  point  computations 
with  narrowing  and  widening.  In  the  procedure,  the  formula  fj  always  stores  an 
under- approximation  of  the  set  of  reachable  states,  and  the  formula  p  always 
stores  an  S-inductive  invariant.  The  procedure  essentially  consists  of  doing  one 
of  four  different  steps — (i)  Augmenting  using  propagation (0,  fj,  k) ,  where 
k  is  some  constant;  (ii)  Strengthening  the  current  invariant  <p  using  the  func¬ 
tion  propagation (0,  q i>,  k) ;  (iii)  Use  of  widening  on  the  under-approximation 
for  generating  an  invariant;  and,  (iv)  Use  of  narrowing  to  detect  and  eliminate 
unreachable  states  from  the  over- approximation. 

/*  Given:  S  =  (V,0,^),  a  transition  system  with  p  control  states. 

The  transition  predicate  ^  is  indexed  by  guarded  transitions. 

k  is  an  upper  bound  on  the  number  of  iterations.  */ 

Procedure  InvGen: 

<p,  Array  [1  ...p\  of  formula 

Initialization: 

(j)  :=  true; 
ip  :=  false; 

repeatedly  do  the  following  {{ 
ip  :=  propagation(0,  ip,  k)  ; 

if  (|=  propagation(0,  <F,  pj,  l)[i]  — >  ip[i\  for  all  i) 

(p  \—p)\  terminate  the  program; 

}  °R  { 

p  :=  propagation(0,  p,  k)  ; 

i  °R  { 

p  :=  p  A  widening (p,  p,  k)  ; 

}  °R  { 

if  (narrowing  (p,  p,  k)  returns  Reachable  (f3)  ) 
ip\j]  :=  V’L?]  V  x  where  ft  is  pc  =  j  A%; 
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else  (assuming  narrowing  returns  Invariant (ft) ) 

(j)[i\  :=  (j)[i\  A  f3[i\  for  all  i; 

}} 

Theorem  2.  Let  p  be  the  array  of  formulas  in  the  procedure  InvGen.  Then , 
at  any  stage  of  the  procedure ,  the  formula  f\ ^pc  =  i  p[i])  is  an  S-inductive 
invariant. 

Our  procedure  does  not  consider  the  control  structure  of  the  transition  graph 
to  generate  invariants.  Though  specific  control  structures,  like  loops,  are  not  rel¬ 
evant  for  correctness  of  the  basic  procedure,  they  can  be  important  in  choosing 
specific  points  for  widening  or  narrowing  [6].  We  wish  to  point  out  that  the  pro¬ 
cedure  is  tolerant  to  theorem  proving  failures  and  only  assumes  a  refutationally 
complete  prover.  In  particular,  note  that  the  satisfiability  test  in  widening  can 
be  eliminated. 


4.2  Quantifier  Elimination  and  Simplification 

We  remark  here  that  implementation  of  propagation  requires  elimination  of  ex¬ 
istential  quantifiers.  The  existential  quantifier  in  SP(^~1)(p)  and  the  universal 
quantifier  in  WP(^)(</>)  can  both  be  easily  eliminated  using  substitutions.  The 
quantifiers  in  SP(T>)(p)  and  WP(^-1  )(</>)  cannot  be  eliminated  so  easily  in  gen¬ 
eral.  But  in  special  cases,  for  instance  when  the  transition  is  “reversible”  (for 
example,  the  effect  of  assignment  x  :=  x  +  y  can  be  reversed  by  the  assignment 
x  :=  x  —  y),  quantifier  elimination  reduces  to  substitution  again.  In  cases  where 
exact  quantifier  elimination  is  not  possible,  we  can  still  get  a  correct  procedure 
using  a  quantifier  elimination  procedure  that  returns  a  “weaker”  formula,  i.e., 
we  do  not  need  an  equivalence  preserving  quantifier  elimination  procedure. 

Let  5ft-simplify  be  a  function  such  that  |=  p  JNsimplify  (</>).  We  shall 

denote  the  formula  $i-simplify(</>)  by  p  in  the  next  theorem. 

Theorem  3.  Let  po, pi, . . . , pi  be  an  upward  iteration  sequence  with  widening 
and  po ,  pi , . . . ,  <pi  be  a  downward  iteration  sequence  with  narrowing  (see  Lem¬ 
mas  2  and  3).  Then  the  sequence  po,  pi,  •  •  • ,  Pi,  Pi  is  also  an  upward  iteration 
sequence  with  widening.  Similarly,  the  sequence  po,P i, . . . ,  pi-i,  p\,  where  p\  is 
pi- 1  A  pi,  is  also  a  downward  iteration  sequence  with  narrowing. 

Note  that  the  formula  p[  in  Theorem  3  can  be  seen  as  results  of  “narrow¬ 
ing”  in  the  sense  of  [9].  Theorem  3  makes  it  possible  for  simple  (and  possibly 
incomplete)  quantifier  elimination  procedures  to  suffice  for  our  purposes.  For 
instance,  when  it  is  not  possible  to  eliminate  the  existential  quantifier  from 
3x.p(x)  A  q(x),  we  could  weaken  this  to  3x.p(x)  A  3x.q{x)  and  perform  quanti¬ 
fier  elimination  on  atomic  formulas.  With  suitable  modifications  as  outlined  in 
Theorem  3,  our  procedure  continues  to  be  correct.  In  fact,  such  simplifications 
help  in  the  convergence  of  the  iterations  as  well. 

Finally,  as  pointed  out  in  Lemma  1,  implementation  of  the  above  procedure 
can  be  optimized  by  combining  the  arrays  fj  and  p  into  a  single  array,  say  ip. 
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If  individual  formulas  ip[i\  are  always  stored  in  disjunctive  normal  form,  then 
we  can  distinguish  the  disjuncts  that  would  appear  in  ip[i\  by  marking  them. 
In  this  way,  a  single  propagation  step  can  be  used  to  update  both  pj  and  p. 
The  implementation  of  the  above  procedure  is  being  done  in  the  framework  of 
SAL  [1],  which  is  a  collection  of  different  tools  for  analyzing  concurrent  systems. 


4.3  Illustrative  Examples 

We  shall  provide  certain  simple  examples  to  illustrate  the  procedure.  The  theory 
of  interest  is  the  theory  of  linear  arithmetic,  and  we  assume  that  we  have  an  exact 
quantifier  elimination  procedure. 

Example  3.  Consider  the  example  outlined  in  Section  1.  In  this  case,  the  least 
fixed  point  sequence  converges  in  two  steps.  In  particular,  we  obtain  the  invariant 
pc  =  inc  — >•  x  =  0  A  pc  =  dec  — »  x  =  2. 


Example  4.  A  simplified  version  of  the  Bakery  mutual  exclusion  protocol  S  = 
(V,©,^)  for  two  processes  pi  and  p2  accessing  a  critical  section  cs  is  given  by 
V  =  {yl  :  int,y2  :  int,pcl  :  {l,2,3},pc2  :  {1,2,3}},  ©  is  pci  =  1  A  pc2  = 
1  A  yl  =  0  A  y2  =  0,  and  ^  is  defined  by  the  following  set  of  guarded  transitions: 


pci  =  1 

pci  =  2  A  (y2  =  0  V  yl  <  y2) 
pel  =  3 
pc2  =  1 

pc2  =  2  A  (pi  =  0  V  y2  <  yl) 
pc2  =  3 


2/1  :=  2/2  +  1;  pci  :=  2; 

//  Pi:  try 

pci  :=  3; 

//  pl:  enter  cs 

2/1  :=  0;  pci  :=  1; 

//pi:  exit  cs 

2/2  :=  2/1  +  l;pc2  :=  2; 

//  P2:  try 

pc2  :=  3; 

//  p2:  enter  cs 

2/2  :=  0;pc2  :=  1; 

//  p2:  exit  cs 

Since  this  system  has  an  infinite  number  of  reachable  states,  the  least  fixed  point 
computation  sequence  does  not  converge.  We  choose  to  define  9  control  locations 
based  on  the  values  of  pci  and  pc2  variables,  and  we  shall  use  the  notation  <p[i,j] 
to  denote  the  current  invariant  at  control  location  pci  =  i  A  pc2  =  j.  After  a 
few  iterations,  the  greatest  fixed  point  iterations  yield  a  formula  </>,  with  the 
following  three  local  invariants  (due  to  space  restrictions,  we  are  not  writing 
down  the  complete  formula  here): 


0[3, 1]  :  2/2  =  0 

0[3, 2]  :  (y2  =  2/1  +  1)  V  (t/l  =  1  A  t/2  =  0) 

</>[ 3,3]  :  (yl  =  0  A  2/2  =  1)  V  (yl  =  1  A  2/2  =  0) 


The  disjunct  /?,  defined  as  yl  =  0  Ap2  =  1,  in  control  location  pci  =  3  Apc2  =  3 
can  be  conjectured  to  be  unreachable  (as  the  formula  ^[3,3]  in  the  least  fixed 
point  iterations  is  always  false)  and  for  a  suitable  choice  of  k ,  the  formula 
X  :=  propagation(pcl  =  3  A  pc2  =  3  A  /?,  ^_1,  false,  k )  contains  the  following 
strongly  connected  set  of  unreachable  states, 

X[3,  3]  :  yl  =  0  X[3,  2]  :  pi  =  0  X[2,  3]  :  yl  =  0 

*[3,1]:  2/1  =  0  x[2,  2]  :  pi  =  0  *[2, 1]  :  pi  =  0 
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Similarly,  we  can  eliminate  the  other  possibility  (2/I  =  1  A  2/2  =  0)  at  control 
location  pci  =  3  A  pc2  =  3.  This  proves  mutual  exclusion.  We  can  also  use  a 
single  widening  step  to  obtain  an  inductive  invariant  strong  enough  to  prove 
mutual  exclusion.  Note  that  it  was  pointed  out  in  [5]  that  the  computation  of 
v(j).( WP(#)(0)  A  (pci  =  3  A  pc2  =  3  —y  false))  terminates  in  a  finite  number  of 
steps  and  yields  an  invariant  that  proves  mutual  exclusion. 

Example  5.  Consider  the  following  transitions: 

pc  =  1  1 — y  x  :=  x  +  2;  y  :=  y  +  2;  pc  :=  2; 

pc  =  2  1 — y  x  :=  x  —  2;  y  :=  y  +  2;  pc  :=  1; 

with  initial  state  predicate  pc  =  1  A  x  =  0  Ay  =  D.  Assuming  that  the  variables 

x  and  y  are  declared  to  be  integers,  neither  the  least  fixed  point  sequence,  nor 

the  greatest  fixed  point  sequence  converges.  After  a  few  iterations  for  computing 
the  greatest  fixed  point,  the  formula  (j)  we  obtain  is: 

pc  =  1  ^  (.x  =  0  A  ^  =  0)  V  (.x  =  0  A  ?/  =  4)  V  (.x  >  0  A  ?/  >  8) 

pc  =  2  ^  (x  =  2  A  y  =  2)  V  (x  =  2  A  y  =  6)  V  (x  >  2  A  y  >  10) 

The  predicate  >  can  be  replaced  by  the  predicates  =  and  >.  Now,  the  disjunct  /? 
can  be  chosen  as  x  >  0  A  y  >  8  and  it  can  be  conjectured  to  be  unreachable.  The 
formula  propagation(pc  =  1  A  /?,  #-1,  false,  2)  contains  the  following  strongly 
connected  set  of  unreachable  states, 

pc  =  1  ^  x  >  0  Ay  >  8  pc  =  2  ^  x  >  2  Ay  >  6 

Conjunction  of  the  negation  of  this  formula  with  the  original  invariant  (j)  gives 
the  following  new  invariant, 

pc  =  1  ^  (.x  =  0  A  ^  =  0)  V  (.x  =  0  A  ?/  =  4)  V  (.x  =  0  A  ?/  >  8) 

pc  =  2  ^  (x  =  2  A  y  =  2)  V  (x  =  2  A  y  =  6)  V  (x  =  2  A  y  >  10) 

As  before,  in  this  case  again  widening  can  also  be  used  to  obtain  a  similar 
invariant. 

5  Related  Work  and  Concluding  Remarks 

Early  work  [10, 12]  on  generating  invariant  for  sequential  programs  has  been 
extended  to  the  case  of  reactive  systems  in  [2,5,11,13,16].  These  methods  are 
usually  based  on  the  propagation  of  invariants  through  the  control  structure  of 
the  different  components  and  by  combining  local  invariants  of  each  component 
to  construct  global  invariants  of  the  system. 

Forward  and  backward  propagation  using  operators  SP(^)  and  WP(^)  is  also 
used  in  [5]  as  the  basic  technique  for  generating  invariants.  In  addition,  over¬ 
approximations  such  as  the  convex  hull  of  the  union  of  polyhedra,  are  used  for 
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widening  fixed  point  computations.  Our  approach  differs  in  that  we  consider 
simultaneous  forward  and  backward  propagation  for  computing  both  lower  and 
upper  bounds  of  the  reachable  state  sets.  These  bounds  are  also  used  for  com¬ 
puting  suitable  narrowing  and  widening  operators.  The  combination  of  these 
techniques  usually  yields  much  stronger  invariants.  Moreover,  our  algorithm  is 
an  any-time  algorithm,  in  the  sense  that  it  can  be  interrupted  at  any  time  to  yield 
the  most  refined  inductive  invariant  computed  up  to  the  point  of  interruption. 

The  method  of  generalized  reaffirmed  invariance  and  propagation  was  intro¬ 
duced  in  [2]  and  is  based  on  affirming  local  invariants  of  the  form  SP(#(r))(true) 
and  propagating  these  local  invariants  along  all  transitions.  This  process  of  af¬ 
firmation  and  propagation,  however,  is  performed  only  in  the  special  case  when 
all  the  existential  quantifiers  arising  in  the  process  are  trivial,  i.e.,  when  the 
quantified  variables  do  not  occur  in  the  rest  of  the  formula;  the  twos  example  in 
the  introduction  does  not  possess  this  property.  The  technique  presented  in  [2] 
also  uses  information  about  the  control  transition  graph,  especially  knowledge 
about  cycles  and  how  variables  are  manipulated  in  the  cycle  transitions,  to  gen¬ 
erate  stronger  invariants.  In  some  cases,  these  stronger  local  invariants  can  be 
generated  by  repeated  propagation  (in  the  stronger  sense  defined  in  this  paper). 
In  general,  however,  the  detection  of  unreachable  cycles  is  crucial,  as  outlined  in 
Theorem  1. 

Techniques  based  on  abstraction  have  also  been  proposed  for  generating  in¬ 
variants  [3,14].  It  appears  attractive  to  first  create  (finite)  abstractions  for  large 
programs  and  then  to  use  standard  propagation  techniques  to  obtain  the  set 
of  states  reachable  in  the  abstract  system.  This  set  can  then  be  concretized  to 
obtain  invariants  of  the  concrete  system.  Abstraction  can  be  cast  as  a  special 
widening  strategy  in  our  procedure.  More  specifically,  let  (a,  7)  be  an  abstraction 
and  concretization  pair  (Galois  connection)  for  a  transition  system  S  =  (V,  0,  ^). 
Let  Sa  =  (Va,0a,^a)  denote  the  abstract  transition  system.  If 


is  a  least  fixed  point  computation  on  the  abstract  transition  system  Sa,  then  one 
obtains  a  corresponding  fixed  point  computation  with  widening  on  the  concrete 
system 

as  follows:  the  formula  0W  isSP(^)(0^  1^)V'0^  ^  (Step  (i)  of  Lemma  2),  and 
<0(0  is  0(d  V7(a(0W))  (Step  (ii)  of  Lemma  2).  Now,  if  |=  7(7/^)  then  it 

is  also  the  case  that  |=  7  (0i*+1^)  \  Thus,  the  fixed  point  computation  on 

the  abstract  transition  system  can  be  suitably  captured  in  the  concrete  system. 
We  shall  not  prove  this  claim  here,  but  refer  to  [9]  for  a  similar  result. 

Note  that  the  set  of  generated  invariants  is  restricted  to  the  ones  expressible 
in  the  language  of  the  theory  5ft.  A  program  that  performs  multiplication  by 
repeated  addition,  for  example,  never  uses  the  multiplication  operator,  but  any 
expression  that  describes  the  set  of  reachable  states  typically  would  use  the 
multiplication  operator. 
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In  summary,  we  present  a  technique  for  generation  of  inductive  invariants 
using  a  combination  of  least  and  greatest  fixed  point  computations  of  the  forward 
and  backward  propagation  operators.  With  obvious  modifications,  the  results 
can  be  used  to  strengthen  invariants.  Thus,  any  technique  for  generation  of 
invariants,  inductive  or  not,  can  be  incorporated  with  the  techniques  in  this 
paper. 
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